Re: large scale distributed scan of port tcp 445

From: Muhammad Faisal Rauf Danka (mfrdat_private)
Date: Thu Aug 08 2002 - 16:53:41 PDT

Next message: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"

Previous message: Russell Fulton: "large scale distributed scan of port tcp 445"
Maybe in reply to: Russell Fulton: "large scale distributed scan of port tcp 445"
Next in thread: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"
Reply: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Which firewall logs these are? ,Because i'm unable to find the bits
set, whether it was a TCP Scan of halfopen SYN Scan?
Since mostly worms would TCP Scan from infected boxes, so if it's
a SYN Scan, then probably it's an intentional Scan. 
just wondering..

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk


--- Russell Fulton <r.fultonat_private> wrote:
>Greeting All,
>	    Again my apologies to those of you who receive two copies of this
>note I am posting it to both unsog and incidents since a fair number of
>educational sites are involved. This posting may also be related to an
>ongoing discussion on the unsog list of compromised W2K boxes.
>
>At around 0545 on the 8th Aug (UTC) we got hit by a distributed scan
>from 100 machines scattered around the world.  Most of the addresses are
>owned by large IPS and domain names indicate that they are cable or xdsl
>customers. A significant minority of the addresses belonged to
>educational institions (one Taiwanese institution was very well
>represented :( ).  I have notified all the edu sites that I can identify
>and will work through the ISPs later today.
>
>For the record it took them 6 minutes to scan our entire /16 address
>space.
>
>here is a cut and paste from my index of scans, the time at the start is
>just to 1 hour resolution.
>
>2002.08.08.17.00 ip160.usw15.rb1.bel.nwlink.com[207.202.205.160] - Network_scan[tcp-445] - new
>2002.08.08.17.00 208-59-162-183.hybrid.hlb-ubr.nj.cable.rcn.com[208.59.162.183] - Network_scan[tcp-445] - new
>2002.08.08.17.00 [207.210.183.134] - Network_scan[tcp-445] - new
>2002.08.08.17.00 d888301.MING.ab.nthu.edu.tw[140.114.213.18] - Network_scan[tcp-445] - new
<<SNIP>>

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with emailat_private by Everyone.net  http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"
Previous message: Russell Fulton: "large scale distributed scan of port tcp 445"
Maybe in reply to: Russell Fulton: "large scale distributed scan of port tcp 445"
Next in thread: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"
Reply: Russell Fulton: "Re: [unisog] Re: large scale distributed scan of port tcp 445"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 08:30:30 PDT