Re: port 22->port 22 scans

From: spaceork (spaceorkat_private)
Date: Sat Oct 06 2001 - 12:43:44 PDT

  • Next message: Geoff Galitz: "IRIX "gr" core dumps"

    On Sat, 6 Oct 2001, Pavel Kankovsky wrote:
    
    > The traits of all those sweeps were very similar:
    > 
    > - the source port of all probes was 22
    > - all probes within one sweep had the same IP ID (*)
    > - lost/filtered probes were not retried
    > - the sweeps were pretty fast, hundreds of addresses in few seconds
    > - no actual i/o was done
    > 
    > (*) With 1 exception that had a TTL different from other logged probes
    > in the sweep as well.
    
    This appears to be the work of the synscan tool. Did the common IP IDs
    happen to have a value of 39426? 
    
    
    	-spaceork 
    
    
    
    "All the time they were creating
     What has destroyed them,
     And they fall with the burden
     They built."
    --------------------------------
    spaceorkat_private
    http://www.dhp.com/~spaceork
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:46:54 PDT