here is another weired scan... 18 Apr 01 13:12:21 tcp 255.255.255.255.31337 -> 130.216.210.99.515 S_ 18 Apr 01 13:32:33 tcp 255.255.255.255.31337 -> 130.216.88.79.515 S_ 18 Apr 01 14:23:39 tcp 255.255.255.255.31337 -> 130.216.80.141.515 S_ 18 Apr 01 14:32:16 tcp 255.255.255.255.31337 -> 130.216.165.120.515 S_ 18 Apr 01 15:06:51 tcp 255.255.255.255.31337 -> 130.216.229.183.515 S_ 18 Apr 01 17:22:10 tcp 255.255.255.255.31337 -> 130.216.124.106.515 S_ 18 Apr 01 17:42:23 tcp 255.255.255.255.31337 -> 130.216.202.2.515 S_ 18 Apr 01 17:55:36 tcp 255.255.255.255.31337 -> 130.216.115.63.515 S_ 18 Apr 01 18:58:22 tcp 255.255.255.255.31337 -> 130.216.73.134.515 S_ 18 Apr 01 19:12:33 tcp 255.255.255.255.31337 -> 130.216.35.204.515 S_ 18 Apr 01 20:56:08 tcp 255.255.255.255.31337 -> 130.216.57.184.515 S_ 18 Apr 01 22:56:20 tcp 255.255.255.255.31337 -> 130.216.75.120.515 S_ 18 Apr 01 23:06:08 tcp 255.255.255.255.31337 -> 130.216.150.227.515 S_ Slow scan (average 1 packet per hour in our /16 address space) to appearantly random IPs. What they hope to acheive with the source address I can not imagine, even if we were not blocking 515 they are not going to get any replies. My guess is that it is just someone playing silly buggers and trying to trip IDS. Examination of the MAC addresses indicates they really are coming from our gateway router. TTL is constant 227 for all the packets I have look at. Ahhh... I have just found one of these addressed to another quite unrelated /24 that I monitor: 17 Apr 01 06:52:37 tcp 255.255.255.255.31337 -> 202.37.88.193.515 S_ Looks like this stuff is getting sprayed at random across the whole address space. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 08:08:29 PDT