I'm seeing an interesting attack that's been going on for about a day now from various sites, mostly in Saudi Arabia. I'm a little puzzled because while these sorts of scans are nothing new, it's sustained and hitting some really wierd ports. A list of destination ports culled from the past 24 hours yields: 1024 1080 110 111 143 19216 21 23 2766 33696 33807 33848 38061 389 44767 515 52 53 555 6000 79 Some of the stuff in there (Like 44767) are pretty unique to sscan attacks, so my first thought is it's one of those. But whomever this person / these people is/are they're certainly picking some odd things to probe. The 389 is an ldap scan, but 52? 38061? 33XXX > 33600? 19216? I have to say, I'm at a loss. Maybe a customized sscan probe? Just curious if anyone else has seen this or similar attack patterns. I'm used to seeing common probes ricocheting off our firewall, but this is confusing me.
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:54:27 PDT