We received a very fast scan (probe) for port 6635 last night. I did a search through the messages on the incidents.org mailing list and didn't see any conclusive findings as to the tools being used or the purpose. Does anyone have any further information on this yet? The probe occurred on 9/20/01 at 22:16 Eastern time. All within the same minute, lasting only 2 seconds. Source Dest. Source IP Port Destination IP's Port Protocol --------- ------ ------------------ ---- -------- 216.89.160.33 6635 MYIP.xxx.xxx.1-254 6635 TCP Sorry, but I don't have a copy of the raw packet for display to determine any of the flags being used. -- DNS lookup done this morning came back to: flare-raq1.flarenetworks.com SAVVIS Communications (NETBLK-SAVVIS7) SAVVIS7 216.88.0.0 - 216.91.255.255 Flare Interactive (NETBLK-SAVV-FLAREINTER2) SAVV-FLAREINTER2 216.89.160.0 - 216.89.161.255 Server used for this query: [ whois.arin.net ] Flare Interactive (NETBLK-SAVV-FLAREINTER2) 233 Linden Street Fort Collins, CO 80524 US Netname: SAVV-FLAREINTER2 Netblock: 216.89.160.0 - 216.89.161.255 Maintainer: FLAR Coordinator: MacDonald, Kyle (KM372-ARIN) kylemacat_private 970-470-3300 Record last updated on 10-Apr-2000. Database last updated on 20-Sep-2001 23:16:45 EDT. ========== Server used for this query: [ whois.arin.net ] SAVVIS Communications (NETBLK-SAVVIS7) 717 Office Parkway Creve Coeur, MO 63141 US Netname: SAVVIS7 Netblock: 216.88.0.0 - 216.91.255.255 Maintainer: SAVV Coordinator: SAVVIS A Bridge Company (ZS36-ARIN) ipadminat_private 314-468-7000 Domain System inverse mapping provided by: NS1.SAVVIS.NET 209.16.211.42 NS2.SAVVIS.NET 204.194.10.206 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 10-Mar-2000. Database last updated on 20-Sep-2001 23:16:45 EDT. Scott ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 08:49:55 PDT