Sustained attack, but seemingly random?

From: Brian Thomas (cinnamonat_private)
Date: Fri Apr 20 2001 - 17:07:13 PDT

  • Next message: Sean Brown: "New multiple vuln scan?"

    I'm seeing an interesting attack that's been going on for about a day now
    from various sites, mostly in Saudi Arabia. I'm a little puzzled because
    while these sorts of scans are nothing new, it's sustained and hitting
    some really wierd ports. A list of destination ports culled from the past
    24 hours yields:
    
    1024
    1080
    110
    111
    143
    19216
    21
    23
    2766
    33696
    33807
    33848
    38061
    389
    44767
    515
    52
    53
    555
    6000
    79
    
    Some of the stuff in there (Like 44767) are pretty unique to sscan attacks,
    so my first thought is it's one of those. But whomever this person / these
    people is/are they're certainly picking some odd things to probe. The 389
    is an ldap scan, but 52? 38061? 33XXX > 33600? 19216? I have to say, I'm
    at a loss. Maybe a customized sscan probe?
    
    Just curious if anyone else has seen this or similar attack patterns. I'm
    used to seeing common probes ricocheting off our firewall, but this is
    confusing me.
    



    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:54:27 PDT