Re: port 22->port 22 scans

From: spaceork (spaceorkat_private)
Date: Sat Oct 06 2001 - 12:43:44 PDT

  • Next message: Geoff Galitz: "IRIX "gr" core dumps"

    On Sat, 6 Oct 2001, Pavel Kankovsky wrote:
    > The traits of all those sweeps were very similar:
    > - the source port of all probes was 22
    > - all probes within one sweep had the same IP ID (*)
    > - lost/filtered probes were not retried
    > - the sweeps were pretty fast, hundreds of addresses in few seconds
    > - no actual i/o was done
    > (*) With 1 exception that had a TTL different from other logged probes
    > in the sweep as well.
    This appears to be the work of the synscan tool. Did the common IP IDs
    happen to have a value of 39426? 
    "All the time they were creating
     What has destroyed them,
     And they fall with the burden
     They built."
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:46:54 PDT