At 11:36 -0700 on 18/07/2002, H C wrote: > Have you checked your own machine w/ fport? I've got > ports open in that range on my system right now, but > they're all used by MS processes. Don't have any windows boxes. ;-) >> The ramp up in volume from widely separated source > IPs looks wormy. > > How so? The log extract you provided doesn't show any > data...it looks as if the initial SYN packet was > denied. This could easily be a port scanner. Yes, it was clearly a port scan. The ramp up among divergent source IPs I saw while I was sitting on 206./16 and later 204./16 networks looked like a spreading infection. I've seen little corroboration, though, so I'm concluding whatever was going on was targeted at a few networks, or had a very poor RNG for seeding the scan list. It never made it down to 138./16 or 128./16, as far as I can tell. Richard ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 13:10:55 PDT