looking for what? portscan 15000/tcp

From: Fabio Pietrosanti (naif) (naifat_private)
Date: Fri Aug 23 2002 - 05:08:04 PDT

Next message: Jonathan Rickman: "Re: Unicode worm?"

Previous message: seren geti: "BAD TRAFFIC 0 ttl"
Next in thread: Cushing, David: "RE: looking for what? portscan 15000/tcp"
Reply: Cushing, David: "RE: looking for what? portscan 15000/tcp"
Reply: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Today i found it on a very important network...

Aug 23 07:34:02 router 548124: Aug 23 07:37:06 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.1(15000), 1 packet
Aug 23 07:34:03 router 548125: Aug 23 07:37:07 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.102(15000), 1 packet
Aug 23 07:34:04 router 548126: Aug 23 07:37:08 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.204(15000), 1 packet
Aug 23 07:34:05 router 548127: Aug 23 07:37:09 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.49(15000), 1 packet
Aug 23 07:34:06 router 548128: Aug 23 07:37:10 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.151(15000), 1 packet
Aug 23 07:34:07 router 548129: Aug 23 07:37:11 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.248(15000), 1 packet
Aug 23 07:34:10 router 548130: Aug 23 07:37:14 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.1(15000), 1 packet
Aug 23 07:34:11 router 548131: Aug 23 07:37:15 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.103(15000), 1 packet
Aug 23 07:34:12 router 548132: Aug 23 07:37:16 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.202(15000), 1 packet
Aug 23 07:34:15 router 548133: Aug 23 07:37:19 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.1(15000), 1 packet
Aug 23 07:34:16 router 548134: Aug 23 07:37:20 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.100(15000), 1 packet
Aug 23 07:34:17 router 548135: Aug 23 07:37:21 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.201(15000), 1 packet
Aug 23 07:34:19 router 548136: Aug 23 07:37:23 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.7.128(15000), 1 packet
Aug 23 07:34:19 router 548137: Aug 23 07:37:24 MEST: %SEC-6-IPACCESSLOGP: list 107 denied tcp 210.117.126.206(15000) -> xx.xx.7.227(15000), 1 packet
Aug 23 07:37:12 router 548143: Aug 23 07:40:15 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.1(15000), 1 packet
Aug 23 07:37:13 router 548144: Aug 23 07:40:17 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.95(15000), 1 packet

From http://www.thekoala.com/ports.htm i found that could be
 - 15000 TCP Netdemon

but i'm curious regarding:

- two scan attempt was done ( 07:37:06 & 07:40:17 ) 
- why not every host was scanned but only some of them?

Regards

-naif

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan Rickman: "Re: Unicode worm?"
Previous message: seren geti: "BAD TRAFFIC 0 ttl"
Next in thread: Cushing, David: "RE: looking for what? portscan 15000/tcp"
Reply: Cushing, David: "RE: looking for what? portscan 15000/tcp"
Reply: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 10:13:14 PDT