At 11:45 AM 5/18/01, gattacaat_private wrote: >Hello all, > >I have a curiousity question. In the last 24 hours I have seen scans for >the following ports. They have been from multiple addresses at different >times. The scans have been the same ports and sequence each time which leads >me to suspect a canned scan tool. Is this something new? Thanks in advance. > >cheers, >gattaca > ><snip> >Fri May 18 10:36:30 EDT 2001 (snip filter file command) reports >211.218.149.27 DENIED HOST >(tcp ports) >31337 11753 12754 2400 33567 5300 1008 1524 29369 9112 6723 6635 8282 9705 >10008 15104 3879 22252 60008 ></snip> I first noticed these scans two weeks ago. Now I get about 20 a day going to random addresses on my network. Each port is hit in 4 second increments. There coming from all over the world. Using netcraft.com, all the source addresses are running Linux. I assume this is some new yet to be determined Linux worm. The only mention I can find of it is at: http://www.incidents.org/react/diary.php -- Joe
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 08:13:14 PDT