Strange "port scans" from a spoofed IP

• Previous message: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
• Next in thread: NESTING, DAVID M (SBCSI): "RE: Strange "port scans" from a spoofed IP"
• Reply: NESTING, DAVID M (SBCSI): "RE: Strange "port scans" from a spoofed IP"
• Reply: Keith.Morgan: "RE: Strange "port scans" from a spoofed IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Earlier today we started noticing a rather strange "port scan" from two different spoofed IP addresses. Both claim to originate from port 80 and have a fixed destination based upon originating IP, as follows:
   192.168.19.82 has destination port 11709
   192.168.19.81 has destination port 13607

The "scans" repeat every 61 seconds. They have been running non-stop since sometime late yesterday. Here is an example from snoop of the traffic in question:

150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0


Has anyone else seen something similar? Since this is clearly not a DOS attack, any idea what would be the purpose of such a scan?

Thanks for any and all help/comments.

Sincerely,
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Michael B. Morell: "E-mail with ties to possible malicious website"
• Previous message: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
• Next in thread: NESTING, DAVID M (SBCSI): "RE: Strange "port scans" from a spoofed IP"
• Reply: NESTING, DAVID M (SBCSI): "RE: Strange "port scans" from a spoofed IP"
• Reply: Keith.Morgan: "RE: Strange "port scans" from a spoofed IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 10:59:00 PST