re: TCP 1025 scanning worm?
From: Richard Johnson (rdump@river.com)Date: 07/18/02
- Previous message: H C: "re: TCP 1025 scanning worm?"
- In reply to: H C: "re: TCP 1025 scanning worm?"
- Next in thread: George M. Garner Jr.: "RE: TCP 1025 scanning worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Jul 2002 14:07:39 -0600 To: incidents@securityfocus.com From: "Richard Johnson" <rdump@river.com>
At 11:36 -0700 on 18/07/2002, H C wrote:
> Have you checked your own machine w/ fport? I've got
> ports open in that range on my system right now, but
> they're all used by MS processes.
Don't have any windows boxes. ;-)
>> The ramp up in volume from widely separated source
> IPs looks wormy.
>
> How so? The log extract you provided doesn't show any
> data...it looks as if the initial SYN packet was
> denied. This could easily be a port scanner.
Yes, it was clearly a port scan. The ramp up among divergent source IPs I
saw while I was sitting on 206./16 and later 204./16 networks looked like a
spreading infection.
I've seen little corroboration, though, so I'm concluding whatever was
going on was targeted at a few networks, or had a very poor RNG for seeding
the scan list. It never made it down to 138./16 or 128./16, as far as I
can tell.
Richard
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: H C: "re: TCP 1025 scanning worm?"
- In reply to: H C: "re: TCP 1025 scanning worm?"
- Next in thread: George M. Garner Jr.: "RE: TCP 1025 scanning worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
