I saw a very similar scan from this IP to one of our Class C's on 13 Nov as well. 9705->9705 scan began at 18:18 GMT, followed by a 6635->6635 at 20:25 GMT. In both instances, approximately 70 hits were detected. Dale > -----Original Message----- > From: Jim Howard [mailto:Jim.Howardat_private] > Sent: Wednesday, November 14, 2001 6:29 PM > To: incidentsat_private > Subject: port 6635 and port 9705 > > > Somebody had asked where these scans were coming from. Just yesterday, I > got scanned on both these ports at the same time from this IP: 216.187.84.11 > .. I have notified the parties that needed notification, but I just wanted > to mention that: > > 1) our entire network was scanned for both from the same host, one right > after the other with 9705 first, then 6635. The scans to 9705 were > primarily from port 9705, where the 6635 scan was from an incrementing port > #. > > 2) this is the first I have seen scans on these ports for some time. It > sounds from what people are saying, that this may be picking up now? > > 3) There was a break of about 4 minutes between the scan sessions, that > indicate a manual process to fire up the other scan. All scans carry the > SYN flag. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > --------------------------------------------- This message was sent using Endymion MailMan. http://www.endymion.com/products/mailman/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 08:24:11 PST