RE: Odd scan

From: McCammon, Keith (Keith.McCammonat_private)
Date: Sun Jul 21 2002 - 17:38:01 PDT

Next message: Russell Fulton: "Re: Odd scan"

Previous message: Tadas Miniotas: "Odd scan"
Maybe in reply to: Tadas Miniotas: "Odd scan"
Next in thread: Russell Fulton: "Re: Odd scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You might want to try searching the GIAC archives, as well as Google.  I found these right off the bat:

http://komura.net/snort/210/196/70/dest210.196.70.123-301.html
http://komura.net/snort/210/196/70/dest210.196.70.122-201.html

Same pattern.  I don't know of any tool with this fingerprint, but there are a lot of similar portscan logs floating around...

Cheers

Keith

> -----Original Message-----
> From: Tadas Miniotas [mailto:tadasat_private]
> Sent: Saturday, July 20, 2002 1:04 PM
> To: incidentsat_private
> Subject: Odd scan
> 
> 
> Hello,
> 
> Just some snort logs I found interesting. Time is GMT+2, and 
> the source 
> IP comes from Malaysia.
> 
> Earliest: 15:43:39 on 7/20/2002
> Latest: 16:16:45 on 7/20/2002
>      * 584 instances of TCP ******S* scan
> Jul 20 15:43:39 202.151.224.13:2029 -> xxx.xxx.32.15:79 SYN ******S*
> Jul 20 15:43:39 202.151.224.13:2030 -> xxx.xxx.32.15:161 SYN ******S*
> Jul 20 15:43:39 202.151.224.13:2031 -> xxx.xxx.32.15:1524 SYN ******S*
> Jul 20 15:43:40 202.151.224.13:2024 -> xxx.xxx.32.13:161 SYN ******S*
> Jul 20 15:43:40 202.151.224.13:2025 -> xxx.xxx.32.13:1524 SYN ******S*
> Jul 20 15:43:42 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
> Jul 20 15:43:42 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
> Jul 20 15:43:42 202.151.224.13:2035 -> xxx.xxx.32.69:79 SYN ******S*
> Jul 20 15:43:42 202.151.224.13:2036 -> xxx.xxx.32.69:161 SYN ******S*
> Jul 20 15:43:42 202.151.224.13:2037 -> xxx.xxx.32.69:1524 SYN ******S*
> Jul 20 15:43:43 202.151.224.13:2033 -> xxx.xxx.32.62:161 SYN ******S*
> Jul 20 15:43:43 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
> Jul 20 15:43:43 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
> <snip>
> 
> What seems odd to me is quite unusual set of ports for a 
> scan. Quite a 
> few vulnerabilities have been discovered in SNMP (port 161), an 
> ingreslock service (port 1524) is reported to be used as an backdoor 
> for several exploits against RPC services, finger is a rarely used 
> service these days. So far, so good, but I fail to see what 
> these three 
> ports have in common. Has anyone seen something similar? Any insight 
> would be greatly appreciated.
> 
> Best regards,
> --
> Tadas Miniotas
> LitNET NOC
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Re: Odd scan"
Previous message: Tadas Miniotas: "Odd scan"
Maybe in reply to: Tadas Miniotas: "Odd scan"
Next in thread: Russell Fulton: "Re: Odd scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 08:32:28 PDT