odd scans?

From: Scott, Michael R. (MICHAEL.R.SCOTTat_private)
Date: Fri May 24 2002 - 10:16:20 PDT

  • Next message: Kyle R. Hofmann: "Re: odd scans?" 

    Anyone recognize this or have a clue what they're looking for (covert
channel, root shell) or what tool is responsible?  The source and dest ports
are almost as randomly distributed across the high range as the location of
the source IPs are across the globe, but notice that the same two ack
numbers repeat across all the source IPs.

thanks
Mike

May 04 15:13:54.192847 213.114.155.74.10363 > A.B.24.105.32320: R 0:0(0) ack
2093292673 win 0
May 10 10:32:02.907545 202.96.170.175.23132 > A.B.24.105.16147: R 0:0(0) ack
2119353641 win 0 (DF)
May 10 10:33:02.244385 202.96.170.175.28393 > A.B.24.105.27350: R 0:0(0) ack
2093292673 win 0 (DF)
May 11 17:41:25.668000 195.159.0.90.25787 > A.B.24.105.50026: R 0:0(0) ack
2093292673 win 0 (DF)
May 12 20:57:40.114036 195.159.0.90.17655 > A.B.24.105.42560: R 0:0(0) ack
2093292673 win 0 (DF) [tos 0x60]
May 13 02:43:49.277926 210.51.195.242.30405 > A.B.24.105.55321: R 0:0(0) ack
2093292673 win 0
May 13 02:47:42.141686 210.51.195.242.13712 > A.B.24.105.13470: R 0:0(0) ack
2119353641 win 0
May 13 03:08:44.392753 210.51.195.242.14624 > A.B.24.105.25786: R 0:0(0) ack
2119353641 win 0
May 13 03:09:02.581235 210.51.195.242.21772 > A.B.24.105.55043: R 0:0(0) ack
2093292673 win 0
May 13 03:14:07.108680 210.51.195.242.16260 > A.B.24.105.50721: R 0:0(0) ack
2093292673 win 0
May 13 03:23:01.695751 210.51.195.242.24690 > A.B.24.105.43529: R 0:0(0) ack
2093292673 win 0
May 13 03:30:40.841510 210.51.195.242.20326 > A.B.24.105.32961: R 0:0(0) ack
2119353641 win 0
May 13 03:53:25.418298 195.159.0.90.28711 > A.B.24.105.54951: R 0:0(0) ack
2093292673 win 0 (DF) [tos 0x60]
May 13 19:23:30.740548 202.103.196.69.5890 > A.B.24.105.55141: R 0:0(0) ack
2093292673 win 0
May 14 09:14:44.181069 202.108.58.52.18598 > A.B.24.105.19788: R 0:0(0) ack
2119353641 win 0
May 14 16:53:22.218980 195.159.0.90.14934 > A.B.24.105.42941: R 0:0(0) ack
2093292673 win 0 (DF) [tos 0x60]
May 14 17:00:47.116523 195.159.0.90.22228 > A.B.24.105.54487: R 0:0(0) ack
2093292673 win 0 (DF) [tos 0x60]
May 18 08:51:27.644959 218.1.1.158.2471 > A.B.24.105.49396: R 0:0(0) ack
2093292673 win 0
May 19 02:35:23.141419 202.103.196.69.32229 > A.B.24.105.27436: R 0:0(0) ack
2093292673 win 0
May 19 02:47:53.563776 202.103.196.61.8113 > A.B.24.105.32263: R 0:0(0) ack
2093292673 win 0
May 19 02:55:12.054609 202.103.196.61.14270 > A.B.24.105.32852: R 0:0(0) ack
2093292673 win 0
May 19 09:17:19.226250 218.1.1.158.26563 > A.B.24.105.35030: R 0:0(0) ack
2093292673 win 0
May 20 20:54:03.565186 211.155.241.86.4949 > A.B.24.105.7930: R 0:0(0) ack
2119353641 win 0
May 21 21:59:32.021667 61.139.77.80.28873 > A.B.24.105.36294: R 0:0(0) ack
2093292673 win 0
May 21 22:01:09.809743 61.139.77.80.16712 > A.B.24.105.55967: R 0:0(0) ack
2093292673 win 0
May 21 22:03:04.032252 61.139.77.80.20641 > A.B.24.105.24336: R 0:0(0) ack
2093292673 win 0
May 21 22:05:35.751460 61.139.77.80.23510 > A.B.24.105.47833: R 0:0(0) ack
2093292673 win 0
May 21 22:19:15.208975 61.139.77.80.27333 > A.B.24.105.33607: R 0:0(0) ack
2119353641 win 0
May 21 22:30:17.176497 61.139.77.80.7683 > A.B.24.105.25473: R 0:0(0) ack
2119353641 win 0
May 22 01:25:46.457981 61.139.77.80.21143 > A.B.24.105.34794: R 0:0(0) ack
2093292673 win 0
May 22 01:29:13.261296 61.139.77.80.17424 > A.B.24.105.46475: R 0:0(0) ack
2093292673 win 0
May 22 01:39:44.960026 61.139.77.80.24893 > A.B.24.105.12434: R 0:0(0) ack
2119353641 win 0
May 22 06:54:09.159673 61.144.236.154.23977 > A.B.24.105.37501: R 0:0(0) ack
2093292673 win 0
May 22 22:04:59.837793 211.144.65.118.18268 > A.B.24.105.32230: R 0:0(0) ack
2119353641 win 0
May 23 16:12:32.902699 32.97.166.142.23906 > A.B.24.105.40741: R 0:0(0) ack
2093292673 win 0 (DF) [tos 0x8]
May 24 07:27:13.613784 213.156.32.125.19650 > A.B.24.105.20404: R 0:0(0) ack
1702151370 win 0

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri May 24 2002 - 10:18:40 PDT