On Sunday 03 March 2002 22.30, Russell Fulton wrote: > FYI... > > Over the last two days I have seen two long running slow (a few packets > per hour) scans of port tcp 433 in two different networks I monitor: > > 2002-03-03-12:19:32 tcp 62.22.28.56:3949 -> 130.216.214.10:443 ... > 2002-03-03-02:42:44 tcp 80.26.13.125:58266 -> 130.216.4.3:443 ... Looks like several people (including me) are seing 443/tcp scans from those addresses. ... 02 Mar 2002 20:05:40 tcp 62.22.28.56.4827 -> 130.237.184.10.443 02 Mar 2002 20:14:09 tcp 62.22.28.56.1290 -> 130.237.185.10.443 02 Mar 2002 20:14:09 tcp 62.22.28.56.1290 -> 130.237.185.10.443 02 Mar 2002 20:14:10 tcp 62.22.28.56.1290 -> 130.237.185.10.443 02 Mar 2002 20:22:38 tcp 62.22.28.56.1592 -> 130.237.186.10.443 02 Mar 2002 20:31:08 tcp 62.22.28.56.1871 -> 130.237.187.10.443 02 Mar 2002 20:48:07 tcp 62.22.28.56.2400 -> 130.237.189.10.443 02 Mar 2002 20:56:37 tcp 62.22.28.56.2656 -> 130.237.190.10.443 02 Mar 2002 20:56:37 tcp 62.22.28.56.2656 -> 130.237.190.10.443 02 Mar 2002 20:56:38 tcp 62.22.28.56.2656 -> 130.237.190.10.443 02 Mar 2002 21:05:07 tcp 62.22.28.56.3090 -> 130.237.191.10.443 02 Mar 2002 21:13:33 tcp 62.22.28.56.3531 -> 130.237.192.10.443 02 Mar 2002 21:13:34 tcp 62.22.28.56.3531 -> 130.237.192.10.443 02 Mar 2002 21:13:35 tcp 62.22.28.56.3531 -> 130.237.192.10.443 02 Mar 2002 21:22:02 tcp 62.22.28.56.3980 -> 130.237.193.10.443 02 Mar 2002 21:30:30 tcp 62.22.28.56.4379 -> 130.237.194.10.443 02 Mar 2002 21:39:01 tcp 62.22.28.56.4700 -> 130.237.195.10.443 02 Mar 2002 21:47:30 tcp 62.22.28.56.1081 -> 130.237.196.10.443 02 Mar 2002 21:55:59 tcp 62.22.28.56.1434 -> 130.237.197.10.443 02 Mar 2002 22:04:28 tcp 62.22.28.56.1843 -> 130.237.198.10.443 02 Mar 2002 22:04:28 tcp 62.22.28.56.1843 -> 130.237.198.10.443 02 Mar 2002 22:04:29 tcp 62.22.28.56.1843 -> 130.237.198.10.443 ... ... 01 Mar 2002 03:09:00 tcp 80.26.13.125.58521 -> 130.237.162.2.443 01 Mar 2002 03:28:36 tcp 80.26.13.125.56224 -> 130.237.163.2.443 01 Mar 2002 03:28:37 tcp 80.26.13.125.56224 -> 130.237.163.2.443 01 Mar 2002 03:28:37 tcp 80.26.13.125.56224 -> 130.237.163.2.443 01 Mar 2002 03:48:07 tcp 80.26.13.125.54280 -> 130.237.164.2.443 01 Mar 2002 03:48:08 tcp 80.26.13.125.54280 -> 130.237.164.2.443 01 Mar 2002 03:48:14 tcp 80.26.13.125.54280 -> 130.237.164.2.443 01 Mar 2002 04:07:39 tcp 80.26.13.125.52294 -> 130.237.165.2.443 01 Mar 2002 04:27:11 tcp 80.26.13.125.50365 -> 130.237.166.2.443 01 Mar 2002 04:27:20 tcp 80.26.13.125.50365 -> 130.237.166.2.443 01 Mar 2002 04:46:44 tcp 80.26.13.125.58227 -> 130.237.167.2.443 01 Mar 2002 04:46:45 tcp 80.26.13.125.58227 -> 130.237.167.2.443 01 Mar 2002 04:46:46 tcp 80.26.13.125.58227 -> 130.237.167.2.443 01 Mar 2002 05:06:16 tcp 80.26.13.125.56073 -> 130.237.168.2.443 01 Mar 2002 05:25:49 tcp 80.26.13.125.53923 -> 130.237.169.2.443 01 Mar 2002 05:25:52 tcp 80.26.13.125.53923 -> 130.237.169.2.443 01 Mar 2002 05:25:52 tcp 80.26.13.125.53923 -> 130.237.169.2.443 01 Mar 2002 05:45:21 tcp 80.26.13.125.51844 -> 130.237.170.2.443 ... I also see them scanning addresses in another class B far far away. Regards, Andreas Östling ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 17:43:47 PST