re: TCP 1025 scanning worm?

From: Richard Johnson (rdump@river.com)
Date: 07/18/02


Date: Thu, 18 Jul 2002 14:07:39 -0600
To: incidents@securityfocus.com
From: "Richard Johnson" <rdump@river.com>

At 11:36 -0700 on 18/07/2002, H C wrote:
> Have you checked your own machine w/ fport? I've got
> ports open in that range on my system right now, but
> they're all used by MS processes.

Don't have any windows boxes. ;-)

>> The ramp up in volume from widely separated source
> IPs looks wormy.
>
> How so? The log extract you provided doesn't show any
> data...it looks as if the initial SYN packet was
> denied. This could easily be a port scanner.

Yes, it was clearly a port scan. The ramp up among divergent source IPs I
saw while I was sitting on 206./16 and later 204./16 networks looked like a
spreading infection.

I've seen little corroboration, though, so I'm concluding whatever was
going on was targeted at a few networks, or had a very poor RNG for seeding
the scan list. It never made it down to 138./16 or 128./16, as far as I
can tell.

Richard

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com