Most likely the Lion worm. Take a look at: http://www.sans.org/y2k/041001.htm and http://www.sans.org/y2k/040301-1430.htm for similar activity. ---Matthew *********** REPLY SEPARATOR *********** On 9/21/2001 at 8:27 AM Craig, Scott wrote: >We received a very fast scan (probe) for port 6635 last night. I did a >search through the messages on the incidents.org mailing list and didn't >see >any conclusive findings as to the tools being used or the purpose. Does >anyone have any further information on this yet? > >The probe occurred on 9/20/01 at 22:16 Eastern time. All within the same >minute, lasting only 2 seconds. > > Source Dest. >Source IP Port Destination IP's Port >Protocol >--------- ------ ------------------ ---- -------- >216.89.160.33 6635 MYIP.xxx.xxx.1-254 6635 TCP > > >Sorry, but I don't have a copy of the raw packet for display to determine >any of the flags being used. > >-- > >DNS lookup done this morning came back to: >flare-raq1.flarenetworks.com > > >SAVVIS Communications (NETBLK-SAVVIS7) SAVVIS7 216.88.0.0 - >216.91.255.255 >Flare Interactive (NETBLK-SAVV-FLAREINTER2) SAVV-FLAREINTER2 > >216.89.160.0 - 216.89.161.255 > > >Server used for this query: [ whois.arin.net ] > > Flare Interactive (NETBLK-SAVV-FLAREINTER2) > 233 Linden Street > Fort Collins, CO 80524 > US > > Netname: SAVV-FLAREINTER2 > Netblock: 216.89.160.0 - 216.89.161.255 > Maintainer: FLAR > > Coordinator: > MacDonald, Kyle (KM372-ARIN) kylemacat_private > 970-470-3300 > > Record last updated on 10-Apr-2000. > Database last updated on 20-Sep-2001 23:16:45 EDT. > >========== > >Server used for this query: [ whois.arin.net ] > > SAVVIS Communications (NETBLK-SAVVIS7) > 717 Office Parkway > Creve Coeur, MO 63141 > US > > Netname: SAVVIS7 > Netblock: 216.88.0.0 - 216.91.255.255 > Maintainer: SAVV > > Coordinator: > SAVVIS A Bridge Company (ZS36-ARIN) ipadminat_private > 314-468-7000 > > Domain System inverse mapping provided by: > > NS1.SAVVIS.NET 209.16.211.42 > NS2.SAVVIS.NET 204.194.10.206 > > ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE > > Record last updated on 10-Mar-2000. > Database last updated on 20-Sep-2001 23:16:45 EDT. > > >Scott > > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 10:04:34 PDT