Early this morning (local time 0500 - UTC+1200) we detected a what appeared to be a distributed scan of ftp ports. 10 source addresses were involved and each source scanned addresses going up in steps of 21 addresses. All started from the same block of 21 addresses. The scan rates varied between the sources with some probing at the rate of 1 destination address per minute and others at up to 3 per minute. They found several ftp servers and several of the sources established TCP connections to retrieve banners so I don't believe that this was a decoy scan. Here is a list of the IPs involved: 193.92.189.98 195.199.85.93 24.203.213.246 200.207.15.4 212.249.12.194 24.232.88.160 212.72.11.26 62.110.245.69 213.53.232.131 202.84.178.1 -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 08:24:35 PDT