Mike Scott wrote: > > I saw the same thing over the weekend to what looks like the entire Class B. > Here's a snip from a snort portscan log, I don't have the rest in front of me: > > May 13 09:18:56 202.43.105.18:4760 -> xxx.140.18.139:10008 SYN ******S* > May 13 09:18:56 202.43.105.18:4761 -> xxx.140.18.140:10008 SYN ******S* > May 13 09:18:57 202.43.105.18:4762 -> xxx.140.18.141:10008 SYN ******S* > May 13 09:18:57 202.43.105.18:4763 -> xxx.140.18.142:10008 SYN ******S* These are the hosts that scanned us for 10008 _yesterday_ (midnight to midnight localtime). The kiddies/worms are already well over their quota on this port for the whole week. The first value is the number of packets (note, packets not necessarily individual connection attempts) we were hit with. Four class C's and some change are routed past the device that logged these, 338 195.166.230.3 2102 217.80.46.242 12 211.100.13.100 10 211.114.177.139 11 207.200.89.227 2032 217.75.0.71 10 203.164.147.132 4 64.12.184.25 7 207.200.89.193 4 155.210.88.146 5 209.249.232.66 2128 213.73.6.98 2107 211.20.160.238 1653 211.175.142.204 4 65.196.90.10 Someone earlier in the thread asked if there was a signature to these. I obviously have not examined each and every one of these packets, but I looked at the ones that sent over 1000 packets my way and there were no obvious signs of crafting or other strange signatures (incrementing IP ID, changing ISN, changing TCP timestamp, SYN with no extra flags, stepping source port, etc.). They all look like Linux boxen tho'. Prolly 2.1.x? -- Crist J. Clark Network Security Engineer crist.clarkat_private Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmasterat_private
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 17:31:53 PDT