On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote: > Which firewall logs these are? ,Because i'm unable to find the bits > set, whether it was a TCP Scan of halfopen SYN Scan? > Since mostly worms would TCP Scan from infected boxes, so if it's > a SYN Scan, then probably it's an intentional Scan. > just wondering.. The scans were detect by my own scan detector which is a perl script and reads argus records. The code is distributed with argus <www.qosient.com>. The probes were all TCP SYNs. Only one per target which suggest a half open scan (we block 445 at the firewall so nothing responded and I can't be sure if it really was a half open scan). I doubt very much if this is a worm, my guess is that it is some group with a group of zombies who want many more... BTW a few weeks ago I did see some very similar scans but just with 10-20 hosts. It may be the same group with more resources... -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 08:34:51 PDT