RE: Decrease in 1433 Scans?

From: John Campbell (jcampbellat_private)
Date: Thu May 23 2002 - 10:30:38 PDT

  • Next message: Scott, Michael R.: "odd scans?"

    Yesterday was actually our busiest day so far for 1433 scans.  We saw
    our first presumably automated scan (111 connection attempts, within a
    few seconds) on 5/19.  Yesterday (5/22) we got three of them, for a
    total of 300 or so connection attempts.  This in comparison to the 80K -
    120K TCP 80 scans we get per day, depending on what day of the month it
    is.
    
    John Campbell, CISSP, GCWN
    Information Security Engineer
    Washington School Information Processing Cooperative
    (WSIPC)
    
    -----Original Message-----
    From: Matt Barton [mailto:mattat_private] 
    Sent: Thursday, May 23, 2002 9:38 AM
    To: incidentsat_private
    Subject: Decrease in 1433 Scans?
    
    
    Hello
    
    Access attempts to port 1433 have been steady all this week, with tons
    of attempts every hour showing up in our firewall log; however, I have
    not had a single attempt since 5:43 AM EST (no EDT here in Indiana).
    
    The firewall is still logging and the integrity of my access-list
    appears to be fine.  I doubt our uplink provider is doing this, as I can
    reach the firewall if I attempt to connect to port 1433 with nmap from a
    remote system.
    
    Anyone else seeing this?
    
    -- 
    
    Matt Barton
    Webexcellence
    mattat_private
    Phone:  317.423.3548 x22
    Fax:  317.423.8735
    www.webexc.com
    
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu May 23 2002 - 11:27:04 PDT