RE: Decrease in 1433 Scans?

From: John Campbell (jcampbell@wsipc.org)
Date: 05/23/02

Previous message: Salisko, Rick: "RE: Decrease in 1433 Scans?"
Maybe in reply to: Matt Barton: "Decrease in 1433 Scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 May 2002 10:30:38 -0700
From: "John Campbell" <jcampbell@wsipc.org>
To: "Matt Barton" <matt@webexc.com>, <incidents@securityfocus.com>

Yesterday was actually our busiest day so far for 1433 scans. We saw
our first presumably automated scan (111 connection attempts, within a
few seconds) on 5/19. Yesterday (5/22) we got three of them, for a
total of 300 or so connection attempts. This in comparison to the 80K -
120K TCP 80 scans we get per day, depending on what day of the month it
is.

John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)

-----Original Message-----
From: Matt Barton [mailto:matt@webexc.com]
Sent: Thursday, May 23, 2002 9:38 AM
To: incidents@securityfocus.com
Subject: Decrease in 1433 Scans?

Hello

Access attempts to port 1433 have been steady all this week, with tons
of attempts every hour showing up in our firewall log; however, I have
not had a single attempt since 5:43 AM EST (no EDT here in Indiana).

The firewall is still logging and the integrity of my access-list
appears to be fine. I doubt our uplink provider is doing this, as I can
reach the firewall if I attempt to connect to port 1433 with nmap from a
remote system.

Anyone else seeing this?

Matt Barton Webexcellence matt@webexc.com Phone: 317.423.3548 x22 Fax: 317.423.8735 www.webexc.com

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Salisko, Rick: "RE: Decrease in 1433 Scans?"
Maybe in reply to: Matt Barton: "Decrease in 1433 Scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Virus/trojan tunnel out from behind firewall?
... Virus/trojan tunnel out from behind firewall? ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ... In Macromedia Flash 5 it is possible to save the main ...
(Incidents)
Re: remote openssh probe or crack?.
... All that's telling you is that someone connected to the port and didn't ... closing the connection. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: Virus/Trojan tunnel out from behind firewall?
... Virus/trojan tunnel out from behind firewall? ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: Virus/trojan tunnel out from behind firewall?
... Sounds like "shell shoveling". ... >> behind a firewall and thus providing an attacker a way into the ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
My list of default.ida connection attempts
... My list of default.ida connection attempts ... attempted to use default.ida to compromise my systems: ... For more information on this free incident handling, management ... and tracking system please see: ...
(Incidents)