What's going on here?

From: Jackie (JackieJ@Syllables.com)
Date: 08/24/02 

Date: Fri, 23 Aug 2002 19:57:28 -0400
From: Jackie <JackieJ@Syllables.com>
To: incidents@securityfocus.com

ZoneAlarm reported this burst, all from port 80 on a reserved IP
block. What the honk's going on?

FWIN,2002/08/23,18:47:42 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
FWIN,2002/08/23,18:47:42 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
FWIN,2002/08/23,18:47:42 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:12156,TCP (flags:S)
FWIN,2002/08/23,18:47:44 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:28165,TCP (flags:S)
FWIN,2002/08/23,18:47:44 -4:00 GMT,10.60.1.103:80,xxx.xx.96.7:13290,TCP (flags:S)
FWIN,2002/08/23,18:47:46 -4:00 GMT,10.10.2.110:80,xxx.xx.96.7:64194,TCP (flags:S)
FWIN,2002/08/23,18:47:46 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:13928,TCP (flags:S)
FWIN,2002/08/23,18:47:56 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:6601,TCP (flags:S)
FWIN,2002/08/23,18:47:56 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
FWIN,2002/08/23,18:47:58 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:16797,TCP (flags:S)
FWIN,2002/08/23,18:47:58 -4:00 GMT,10.10.2.107:80,xxx.xx.96.7:5692,TCP (flags:S)
FWIN,2002/08/23,18:48:00 -4:00 GMT,10.60.1.103:80,xxx.xx.96.7:13290,TCP (flags:S)
FWIN,2002/08/23,18:48:00 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:48388,TCP (flags:S)
FWIN,2002/08/23,18:48:02 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:12516,TCP (flags:S)
FWIN,2002/08/23,18:48:02 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:61199,TCP (flags:S)
FWIN,2002/08/23,18:48:02 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:52484,TCP (flags:S)
FWIN,2002/08/23,18:48:14 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:6601,TCP (flags:S)
FWIN,2002/08/23,18:48:16 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
FWIN,2002/08/23,18:48:16 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:48:20 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
FWIN,2002/08/23,18:48:20 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:12156,TCP (flags:S)
FWIN,2002/08/23,18:48:22 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:33730,TCP (flags:S)
FWIN,2002/08/23,18:48:22 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:61199,TCP (flags:S)
FWIN,2002/08/23,18:48:24 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:52484,TCP (flags:S)
FWIN,2002/08/23,18:48:26 -4:00 GMT,10.10.2.110:80,xxx.xx.96.7:64194,TCP (flags:S)
FWIN,2002/08/23,18:48:26 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:13928,TCP (flags:S)
FWIN,2002/08/23,18:48:26 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:16797,TCP (flags:S)
FWIN,2002/08/23,18:48:26 -4:00 GMT,10.10.2.107:80,xxx.xx.96.7:5692,TCP (flags:S)
FWIN,2002/08/23,18:48:28 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:6601,TCP (flags:S)
FWIN,2002/08/23,18:48:28 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
FWIN,2002/08/23,18:48:28 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:48388,TCP (flags:S)
FWIN,2002/08/23,18:48:28 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:12516,TCP (flags:S)
FWIN,2002/08/23,18:48:30 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:48:32 -4:00 GMT,10.60.1.103:80,xxx.xx.96.7:13290,TCP (flags:S)
FWIN,2002/08/23,18:48:32 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:33730,TCP (flags:S)
FWIN,2002/08/23,18:48:32 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:61199,TCP (flags:S)
FWIN,2002/08/23,18:48:34 -4:00 GMT,10.10.2.112:80,xxx.xx.96.7:59112,TCP (flags:S)
FWIN,2002/08/23,18:48:44 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:48:48 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:53605,TCP (flags:S)
FWIN,2002/08/23,18:49:06 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44517,TCP (flags:S)
FWIN,2002/08/23,18:49:10 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
FWIN,2002/08/23,18:49:12 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:12156,TCP (flags:S)
FWIN,2002/08/23,18:49:12 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:28165,TCP (flags:S)
FWIN,2002/08/23,18:49:14 -4:00 GMT,10.10.2.110:80,xxx.xx.96.7:64194,TCP (flags:S)
FWIN,2002/08/23,18:49:14 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:13928,TCP (flags:S)
FWIN,2002/08/23,18:49:16 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:16797,TCP (flags:S)
FWIN,2002/08/23,18:49:16 -4:00 GMT,10.10.2.107:80,xxx.xx.96.7:5692,TCP (flags:S)
FWIN,2002/08/23,18:49:16 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:53605,TCP (flags:S)
FWIN,2002/08/23,18:49:18 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:48388,TCP (flags:S)
FWIN,2002/08/23,18:49:18 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:12516,TCP (flags:S)
FWIN,2002/08/23,18:49:18 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:49:30 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:24023,TCP (flags:S)
FWIN,2002/08/23,18:49:32 -4:00 GMT,10.10.2.112:80,xxx.xx.96.7:59112,TCP (flags:S)
FWIN,2002/08/23,18:49:34 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:49:36 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44517,TCP (flags:S)
FWIN,2002/08/23,18:49:38 -4:00 GMT,10.10.2.111:80,xxx.xx.96.7:34705,TCP (flags:S)
FWIN,2002/08/23,18:49:38 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:52067,TCP (flags:S)
FWIN,2002/08/23,18:50:00 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:24023,TCP (flags:S)
FWIN,2002/08/23,18:50:10 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
FWIN,2002/08/23,18:50:10 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:12156,TCP (flags:S)
FWIN,2002/08/23,18:50:14 -4:00 GMT,10.10.2.110:80,xxx.xx.96.7:64194,TCP (flags:S)
FWIN,2002/08/23,18:50:14 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:13928,TCP (flags:S)
FWIN,2002/08/23,18:50:14 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:16797,TCP (flags:S)
FWIN,2002/08/23,18:50:16 -4:00 GMT,10.10.2.107:80,xxx.xx.96.7:5692,TCP (flags:S)
FWIN,2002/08/23,18:50:16 -4:00 GMT,10.10.2.103:80,xxx.xx.96.7:53605,TCP (flags:S)
FWIN,2002/08/23,18:50:16 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:53605,TCP (flags:S)
FWIN,2002/08/23,18:50:18 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:48388,TCP (flags:S)
FWIN,2002/08/23,18:50:18 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:12516,TCP (flags:S)
FWIN,2002/08/23,18:50:18 -4:00 GMT,10.10.2.109:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:50:32 -4:00 GMT,10.10.2.112:80,xxx.xx.96.7:59112,TCP (flags:S)
FWIN,2002/08/23,18:50:34 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44131,TCP (flags:S)
FWIN,2002/08/23,18:50:36 -4:00 GMT,10.10.2.104:80,xxx.xx.96.7:44517,TCP (flags:S)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: 2002/udp flood
    ... only they seem to be trying to connect to port 25 on my ... > I have a FreeBSD web server that is receiving large amounts of UDP ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Recent Increase in Port 139 Activity
    ... Recent Increase in Port 139 Activity ... Does look like NetBIOS WinNuke. ... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Recent Increase in Port 139 Activity
    ... Recent Increase in Port 139 Activity ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
    ... > I found out that by default nmap doesn't scan every ... > port (before that I thought every port is scanned ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Compromised Win2000 machine.
    ... be prompting for a login, but I guess it could be an app of somesort. ... why is it using port 99 and 113? ... searches and mailing lists so far, on port 4160 there seems to be a ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)