Hello,
Just some snort logs I found interesting. Time is GMT+2, and the source
IP comes from Malaysia.
Earliest: 15:43:39 on 7/20/2002
Latest: 16:16:45 on 7/20/2002
* 584 instances of TCP ******S* scan
Jul 20 15:43:39 202.151.224.13:2029 -> xxx.xxx.32.15:79 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2030 -> xxx.xxx.32.15:161 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2031 -> xxx.xxx.32.15:1524 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2024 -> xxx.xxx.32.13:161 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2025 -> xxx.xxx.32.13:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2035 -> xxx.xxx.32.69:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2036 -> xxx.xxx.32.69:161 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2037 -> xxx.xxx.32.69:1524 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2033 -> xxx.xxx.32.62:161 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
<snip>
What seems odd to me is quite unusual set of ports for a scan. Quite a
few vulnerabilities have been discovered in SNMP (port 161), an
ingreslock service (port 1524) is reported to be used as an backdoor
for several exploits against RPC services, finger is a rarely used
service these days. So far, so good, but I fail to see what these three
ports have in common. Has anyone seen something similar? Any insight
would be greatly appreciated.
Best regards,
--
Tadas Miniotas
LitNET NOC
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 21 2002 - 11:55:35 PDT