It looks like the scans are continuing, on ever decreasing IP ranges. When I look at my logs from Friday afternoon - Sunday afternoon, I see scans from 24.50.*, 24.49.*, 24.35.*, 24.34.*. As these IP ranges span multiple ISPs, I'm still thinking it's either spoofed source IPs or a script kiddie hunting down infected boxes with decreasing IPs and initiating scans from them. I'm still wondering why someone would scan TCP port 1. Maybe they're just probing for active IPs? KJP --- Joel Esler <eslerjat_private> wrote: > I have been seeing the same thing across different > areas. A lot of port 1 > scanning. Don't know what it could be though. > > J ===== There are no stupid questions, only stupid people asking them. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:19:59 PDT