FYI - slow scans for https...

From: Russell Fulton (R.FULTONat_private)
Date: Sun Mar 03 2002 - 13:30:50 PST

Next message: Owen Creger: "Rcon trojan"

Previous message: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
Next in thread: Hugo van der Kooij: "Re: FYI - slow scans for https..."
Reply: Hugo van der Kooij: "Re: FYI - slow scans for https..."
Reply: Andreas Östling: "Re: FYI - slow scans for https..."
Reply: Erik Fichtner: "Re: FYI - slow scans for https..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI...

Over the last two days I have seen two long running slow (a few packets
per hour) scans of port tcp 433 in two different networks I monitor:

2002-03-03-12:19:32  tcp     62.22.28.56:3949     -> 130.216.214.10:443
S_
2002-03-03-12:28:02  tcp     62.22.28.56:4177     -> 130.216.215.10:443
S_
2002-03-03-12:36:34  tcp     62.22.28.56:4404     -> 130.216.216.10:443
S_
2002-03-03-12:45:00  tcp     62.22.28.56:4738     -> 130.216.217.10:443
S_
2002-03-03-12:53:30  tcp     62.22.28.56:4889     -> 130.216.218.10:443
S_
2002-03-03-13:01:59  tcp     62.22.28.56:1458     -> 130.216.219.10:443
S_
2002-03-03-13:10:29  tcp     62.22.28.56:1625     -> 130.216.220.10:443
S_
2002-03-03-13:19:00  tcp     62.22.28.56:1836     -> 130.216.221.10:443
S_
2002-03-03-13:27:30  tcp     62.22.28.56:1952     -> 130.216.222.10:443
S_
2002-03-03-13:35:59  tcp     62.22.28.56:2105     -> 130.216.223.10:443
S_
2002-03-03-13:44:27  tcp     62.22.28.56:2610     -> 130.216.224.10:443
S_
2002-03-03-13:52:55  tcp     62.22.28.56:2796     -> 130.216.225.10:443
S_





2002-03-03-02:42:44  tcp    80.26.13.125:58266    -> 130.216.4.3:443
S_
2002-03-03-02:56:02  tcp    80.26.13.125:50285    -> 130.216.5.3:443
S_
2002-03-03-03:09:22  tcp    80.26.13.125:52702    -> 130.216.6.3:443
S_
2002-03-03-03:22:46  tcp    80.26.13.125:55353    -> 130.216.7.3:443
S_
2002-03-03-03:36:05  tcp    80.26.13.125:58038    -> 130.216.8.3:443
S_
2002-03-03-03:49:26  tcp    80.26.13.125:51031    -> 130.216.9.3:443
S_
2002-03-03-04:16:08  tcp    80.26.13.125:57173    -> 130.216.11.3:443
S_
2002-03-03-04:56:15  tcp    80.26.13.125:57267    -> 130.216.14.3:443
S_
2002-03-03-05:22:57  tcp    80.26.13.125:54947    -> 130.216.16.3:443
S_
2002-03-03-05:36:16  tcp    80.26.13.125:58925    -> 130.216.17.3:443
S_
2002-03-03-06:16:22  tcp    80.26.13.125:51119    -> 130.216.20.3:443
S_


As you can see from the traces both vary the 3rd octect fastest.

I reported the scan from 80.26.13.125 last week but I have not had any
response from the ISP involved. I reported 62.22.28.56 scan this
morning.

Interestingly both these IP addresses appear to be allocated in Spain.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Owen Creger: "Rcon trojan"
Previous message: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
Next in thread: Hugo van der Kooij: "Re: FYI - slow scans for https..."
Reply: Hugo van der Kooij: "Re: FYI - slow scans for https..."
Reply: Andreas Östling: "Re: FYI - slow scans for https..."
Reply: Erik Fichtner: "Re: FYI - slow scans for https..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 00:18:59 PST