Re: FYI - slow scans for https...

From: Andreas Östling (andreasoat_private)
Date: Mon Mar 04 2002 - 01:16:36 PST

  • Next message: H C: "Re: Update: UDP 770 Potential Worm" 

    On Sunday 03 March 2002 22.30, Russell Fulton wrote:
> FYI...
>
> Over the last two days I have seen two long running slow (a few packets
> per hour) scans of port tcp 433 in two different networks I monitor:
>
> 2002-03-03-12:19:32  tcp     62.22.28.56:3949     -> 130.216.214.10:443
...
> 2002-03-03-02:42:44  tcp    80.26.13.125:58266    -> 130.216.4.3:443
...


Looks like several people (including me) are seing 443/tcp scans from those 
addresses.

...
02 Mar 2002 20:05:40  tcp   62.22.28.56.4827 ->  130.237.184.10.443
02 Mar 2002 20:14:09  tcp   62.22.28.56.1290 ->  130.237.185.10.443
02 Mar 2002 20:14:09  tcp   62.22.28.56.1290 ->  130.237.185.10.443
02 Mar 2002 20:14:10  tcp   62.22.28.56.1290 ->  130.237.185.10.443
02 Mar 2002 20:22:38  tcp   62.22.28.56.1592 ->  130.237.186.10.443
02 Mar 2002 20:31:08  tcp   62.22.28.56.1871 ->  130.237.187.10.443
02 Mar 2002 20:48:07  tcp   62.22.28.56.2400 ->  130.237.189.10.443
02 Mar 2002 20:56:37  tcp   62.22.28.56.2656 ->  130.237.190.10.443
02 Mar 2002 20:56:37  tcp   62.22.28.56.2656 ->  130.237.190.10.443
02 Mar 2002 20:56:38  tcp   62.22.28.56.2656 ->  130.237.190.10.443
02 Mar 2002 21:05:07  tcp   62.22.28.56.3090 ->  130.237.191.10.443
02 Mar 2002 21:13:33  tcp   62.22.28.56.3531 ->  130.237.192.10.443
02 Mar 2002 21:13:34  tcp   62.22.28.56.3531 ->  130.237.192.10.443
02 Mar 2002 21:13:35  tcp   62.22.28.56.3531 ->  130.237.192.10.443
02 Mar 2002 21:22:02  tcp   62.22.28.56.3980 ->  130.237.193.10.443
02 Mar 2002 21:30:30  tcp   62.22.28.56.4379 ->  130.237.194.10.443
02 Mar 2002 21:39:01  tcp   62.22.28.56.4700 ->  130.237.195.10.443
02 Mar 2002 21:47:30  tcp   62.22.28.56.1081 ->  130.237.196.10.443
02 Mar 2002 21:55:59  tcp   62.22.28.56.1434 ->  130.237.197.10.443
02 Mar 2002 22:04:28  tcp   62.22.28.56.1843 ->  130.237.198.10.443
02 Mar 2002 22:04:28  tcp   62.22.28.56.1843 ->  130.237.198.10.443
02 Mar 2002 22:04:29  tcp   62.22.28.56.1843 ->  130.237.198.10.443
...

...
01 Mar 2002 03:09:00  tcp  80.26.13.125.58521  ->   130.237.162.2.443
01 Mar 2002 03:28:36  tcp  80.26.13.125.56224  ->   130.237.163.2.443
01 Mar 2002 03:28:37  tcp  80.26.13.125.56224  ->   130.237.163.2.443
01 Mar 2002 03:28:37  tcp  80.26.13.125.56224  ->   130.237.163.2.443
01 Mar 2002 03:48:07  tcp  80.26.13.125.54280  ->   130.237.164.2.443
01 Mar 2002 03:48:08  tcp  80.26.13.125.54280  ->   130.237.164.2.443
01 Mar 2002 03:48:14  tcp  80.26.13.125.54280  ->   130.237.164.2.443
01 Mar 2002 04:07:39  tcp  80.26.13.125.52294  ->   130.237.165.2.443
01 Mar 2002 04:27:11  tcp  80.26.13.125.50365  ->   130.237.166.2.443
01 Mar 2002 04:27:20  tcp  80.26.13.125.50365  ->   130.237.166.2.443
01 Mar 2002 04:46:44  tcp  80.26.13.125.58227  ->   130.237.167.2.443
01 Mar 2002 04:46:45  tcp  80.26.13.125.58227  ->   130.237.167.2.443
01 Mar 2002 04:46:46  tcp  80.26.13.125.58227  ->   130.237.167.2.443
01 Mar 2002 05:06:16  tcp  80.26.13.125.56073  ->   130.237.168.2.443
01 Mar 2002 05:25:49  tcp  80.26.13.125.53923  ->   130.237.169.2.443
01 Mar 2002 05:25:52  tcp  80.26.13.125.53923  ->   130.237.169.2.443
01 Mar 2002 05:25:52  tcp  80.26.13.125.53923  ->   130.237.169.2.443
01 Mar 2002 05:45:21  tcp  80.26.13.125.51844  ->   130.237.170.2.443
...

I also see them scanning addresses in another class B far far away.

Regards,
Andreas Östling

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 17:43:47 PST