Simple curiosity more than anything. This amount of activity over such a short amount of time is highly unusual and I was curious if others were encountering the same thing or if there was a particular script kiddie tool that could be associated with this pattern of activity. -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Tuesday, March 04, 2003 7:00 AM To: incidentsat_private Subject: Re: TCP 445 Scan? Just out of curiosity, if the SYN packets are denied...why bother? I'm not asking to be a jerk or anything, I'm simply asking b/c our mindset is that if it's blocked, we have other, more important things that require our attention, so we ignore it. --- Charles Hamby <fixerat_private> wrote: > > > Morning/Afternoon All, > > Has anyone else recently been pegged with a large > number of distributed > TCP 445 scans over a short amount of time (within a > few minutes)? A > couple of days ago I was hit by roughly 60+ scans in > a short amount of > time; when I waded through it it wound up being > about 45 unique IP address > all looking for TCP 445. Below is an excerpt from > my fireall log > (Netscreen). Has anyone else been seeing these > sorts of scans lately? > I've only seen the one scan, so I haven't had a > chance to capture any more > traffic. > > -CDH > > > 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0 > sec TCP PORT 445 > 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0 > sec TCP PORT 445 > > ------------------------------------------------------------------------ ---- > > <Pre>Lose another weekend managing your IDS? > Take back your personal time. > 15-day free trial of StillSecure Border Guard.</Pre> > <A href="http://www.securityfocus.com/stillsecure"> > http://www.securityfocus.com/stillsecure </A> > > __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 08:25:51 PST