> We have had one probe that fits the description, and a couple of possibly > related hits, starting December 8. Some of the traffic is _from_ 6112 rather > than to it. Only one hit is both from and to 6112. We don't have any root > kits left by the attacker(s). Our Snort logs started showing these scans on 17 Jan (actually there was ONE probe on 7 Jan but none in 2001), with BOTH source and destination ports set to 6112: Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.3:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.5:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.7:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.9:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.11:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.13:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.15:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.2:6112 SYN ******S* -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skipat_private 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 10:11:18 PST