Starting at 11:38:12 UTC on July 17, we started seeing full-network port scans looking for TCP port 1025. The sources are all Windows boxes listening on TCP port 1025. The ramp up in volume from widely separated source IPs looks wormy. Is this a targeted attack against my nets, or are others seeing this scanning too? Richard ------- Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 ... Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 ... Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 14:06:45 PDT