FYI - slow scans for https...

From: Russell Fulton (R.FULTON@auckland.ac.nz)
Date: 03/03/02


From: Russell Fulton <R.FULTON@auckland.ac.nz>
To: incidents@securityfocus.com
Date: 04 Mar 2002 10:30:50 +1300

FYI...

Over the last two days I have seen two long running slow (a few packets
per hour) scans of port tcp 433 in two different networks I monitor:

2002-03-03-12:19:32 tcp 62.22.28.56:3949 -> 130.216.214.10:443
S_
2002-03-03-12:28:02 tcp 62.22.28.56:4177 -> 130.216.215.10:443
S_
2002-03-03-12:36:34 tcp 62.22.28.56:4404 -> 130.216.216.10:443
S_
2002-03-03-12:45:00 tcp 62.22.28.56:4738 -> 130.216.217.10:443
S_
2002-03-03-12:53:30 tcp 62.22.28.56:4889 -> 130.216.218.10:443
S_
2002-03-03-13:01:59 tcp 62.22.28.56:1458 -> 130.216.219.10:443
S_
2002-03-03-13:10:29 tcp 62.22.28.56:1625 -> 130.216.220.10:443
S_
2002-03-03-13:19:00 tcp 62.22.28.56:1836 -> 130.216.221.10:443
S_
2002-03-03-13:27:30 tcp 62.22.28.56:1952 -> 130.216.222.10:443
S_
2002-03-03-13:35:59 tcp 62.22.28.56:2105 -> 130.216.223.10:443
S_
2002-03-03-13:44:27 tcp 62.22.28.56:2610 -> 130.216.224.10:443
S_
2002-03-03-13:52:55 tcp 62.22.28.56:2796 -> 130.216.225.10:443
S_

2002-03-03-02:42:44 tcp 80.26.13.125:58266 -> 130.216.4.3:443
S_
2002-03-03-02:56:02 tcp 80.26.13.125:50285 -> 130.216.5.3:443
S_
2002-03-03-03:09:22 tcp 80.26.13.125:52702 -> 130.216.6.3:443
S_
2002-03-03-03:22:46 tcp 80.26.13.125:55353 -> 130.216.7.3:443
S_
2002-03-03-03:36:05 tcp 80.26.13.125:58038 -> 130.216.8.3:443
S_
2002-03-03-03:49:26 tcp 80.26.13.125:51031 -> 130.216.9.3:443
S_
2002-03-03-04:16:08 tcp 80.26.13.125:57173 -> 130.216.11.3:443
S_
2002-03-03-04:56:15 tcp 80.26.13.125:57267 -> 130.216.14.3:443
S_
2002-03-03-05:22:57 tcp 80.26.13.125:54947 -> 130.216.16.3:443
S_
2002-03-03-05:36:16 tcp 80.26.13.125:58925 -> 130.216.17.3:443
S_
2002-03-03-06:16:22 tcp 80.26.13.125:51119 -> 130.216.20.3:443
S_

As you can see from the traces both vary the 3rd octect fastest.

I reported the scan from 80.26.13.125 last week but I have not had any
response from the ISP involved. I reported 62.22.28.56 scan this
morning.

Interestingly both these IP addresses appear to be allocated in Spain.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages