Re: Increase in nmap pings

[Michael Schwartzkopff <misch () multinet de>]

Hi,

its the sasser worm. The infected computer has port 5554 open. You can check 
it with any scanner. But still find the numbers increasing ...


Am Montag, 3. Mai 2004 18:49 schrieb Larry Pitcher:
> I got several this morning (not hundreds) from 80.132.233.166, apparently
> from Germany.
>
> Larry Pitcher
> pitcherl () bakerboyer com
>
>
>
> -----Original Message-----
> From: Chuck Holley [mailto:cholley () fitnessquest com]
> Sent: Monday, May 03, 2004 8:17 AM
> To: 'Miner, Jonathan W'; 'Snort-users '
> Subject: RE: [Snort-users] Increase in nmap pings
>
>
> I noticed some too. Not a whole lot but about a dozen.  Out of france?
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Miner,
> Jonathan W
> Sent: Monday, May 03, 2004 11:05 AM
> To: 'Snort-users '
> Subject: RE: [Snort-users] Increase in nmap pings
>
> Checking my logs for NMAP events, I concur with Michael's observations:
>
> 5/1 0005h (EST) - 5/2 0005h (EST): 2
> 5/2 0005h (EST) - 5/3 0005h (EST): 39
> 5/3 0005h (EST) - now: 2483
>
> The bulk of the "ICMP PING NMAP" events started after 0117h (EST). Many
> different sources and destinations.
>
> -----Original Message-----
> From: Michael Schwartzkopff
> To: Snort-users
> Sent: 5/3/04 8:47 AM
> Subject: [Snort-users] Increase in nmap pings
>
> since 9:00 CEST (7:00 GMT) I see a massive increase in nmap pings SID
> 469.
>
> Some questions:
>
> - - Anybody else seeing it?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users