FYI... Over the last two days I have seen two long running slow (a few packets per hour) scans of port tcp 433 in two different networks I monitor: 2002-03-03-12:19:32 tcp 62.22.28.56:3949 -> 130.216.214.10:443 S_ 2002-03-03-12:28:02 tcp 62.22.28.56:4177 -> 130.216.215.10:443 S_ 2002-03-03-12:36:34 tcp 62.22.28.56:4404 -> 130.216.216.10:443 S_ 2002-03-03-12:45:00 tcp 62.22.28.56:4738 -> 130.216.217.10:443 S_ 2002-03-03-12:53:30 tcp 62.22.28.56:4889 -> 130.216.218.10:443 S_ 2002-03-03-13:01:59 tcp 62.22.28.56:1458 -> 130.216.219.10:443 S_ 2002-03-03-13:10:29 tcp 62.22.28.56:1625 -> 130.216.220.10:443 S_ 2002-03-03-13:19:00 tcp 62.22.28.56:1836 -> 130.216.221.10:443 S_ 2002-03-03-13:27:30 tcp 62.22.28.56:1952 -> 130.216.222.10:443 S_ 2002-03-03-13:35:59 tcp 62.22.28.56:2105 -> 130.216.223.10:443 S_ 2002-03-03-13:44:27 tcp 62.22.28.56:2610 -> 130.216.224.10:443 S_ 2002-03-03-13:52:55 tcp 62.22.28.56:2796 -> 130.216.225.10:443 S_ 2002-03-03-02:42:44 tcp 80.26.13.125:58266 -> 130.216.4.3:443 S_ 2002-03-03-02:56:02 tcp 80.26.13.125:50285 -> 130.216.5.3:443 S_ 2002-03-03-03:09:22 tcp 80.26.13.125:52702 -> 130.216.6.3:443 S_ 2002-03-03-03:22:46 tcp 80.26.13.125:55353 -> 130.216.7.3:443 S_ 2002-03-03-03:36:05 tcp 80.26.13.125:58038 -> 130.216.8.3:443 S_ 2002-03-03-03:49:26 tcp 80.26.13.125:51031 -> 130.216.9.3:443 S_ 2002-03-03-04:16:08 tcp 80.26.13.125:57173 -> 130.216.11.3:443 S_ 2002-03-03-04:56:15 tcp 80.26.13.125:57267 -> 130.216.14.3:443 S_ 2002-03-03-05:22:57 tcp 80.26.13.125:54947 -> 130.216.16.3:443 S_ 2002-03-03-05:36:16 tcp 80.26.13.125:58925 -> 130.216.17.3:443 S_ 2002-03-03-06:16:22 tcp 80.26.13.125:51119 -> 130.216.20.3:443 S_ As you can see from the traces both vary the 3rd octect fastest. I reported the scan from 80.26.13.125 last week but I have not had any response from the ISP involved. I reported 62.22.28.56 scan this morning. Interestingly both these IP addresses appear to be allocated in Spain. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 00:18:59 PST