Re: [unisog] Re: large scale distributed scan of port tcp 445

From: Russell Fulton (r.fultonat_private)
Date: Thu Aug 08 2002 - 17:50:49 PDT

  • Next message: Rob Keown: "RE: large scale distributed scan of port tcp 445"

    On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote:
    > Which firewall logs these are? ,Because i'm unable to find the bits
    > set, whether it was a TCP Scan of halfopen SYN Scan?
    > Since mostly worms would TCP Scan from infected boxes, so if it's
    > a SYN Scan, then probably it's an intentional Scan. 
    > just wondering..
    
    The scans were detect by my own scan detector which is a perl script and
    reads argus records.  The code is distributed with argus
    <www.qosient.com>.
    
    The probes were all TCP SYNs.  Only one per target which suggest a half
    open scan (we block 445 at the firewall so nothing responded and I can't
    be sure if it really was a half open scan).
    
    I doubt very much if this is a worm, my guess is that it is some group
    with a group of zombies who want many more...
    
    BTW a few weeks ago I did see some very similar scans but just with
    10-20 hosts.  It may be the same group with more resources...
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    "It aint necessarily so"  - Gershwin
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 08:34:51 PDT