[Intrusions] [LOGS] Summary of large-scale portscanning detects

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Mon Aug 16 16:14:11 GMT 2004 

My apologies to the list but I don't understand the significance of this
summary.  It's normal to have systems sweeping through your address space
turning the door handle to see if its unlocked.

The first block in Sunday's report is, perhaps, the only thing of interest
in the report.  Unfortunately, the report format doesn't allow us to see
a complete set of probes targeted at an individual system.

Another curiousity question is why Microsoft RPC/CIFS ports are missing.  
Looking at my own logs, probes to port 1433 are always paired with probes
to port 445.

Merton Campbell Crockett



On Sun, 15 Aug 2004 Ken.Connelly at uni.edu wrote:

> The following extracts show the beginning and ending of scan activity
> was detected on my network.  The number following each set is the total
> number of probes for that source.  Timestamps are GMT-0500.
> 
> Aug 14 01:02:10 212.90.254.234:3627 -> xxx.yyy.1.1:21 SYN ******S* 
> Aug 14 01:02:09 212.90.254.234:3628 -> xxx.yyy.1.1:80 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3629 -> xxx.yyy.1.1:53 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3630 -> xxx.yyy.1.1:25 SYN ******S* 
> Aug 14 01:02:09 212.90.254.234:3631 -> xxx.yyy.1.1:79 SYN ******S* 
> Aug 14 01:02:07 212.90.254.234:3632 -> xxx.yyy.1.1:23 SYN ******S* 
> Aug 14 01:02:07 212.90.254.234:3633 -> xxx.yyy.1.1:110 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3634 -> xxx.yyy.1.1:1433 SYN ******S* 
> [...]
> Aug 14 03:02:02 212.90.254.234:4753 -> xxx.yyy.255.254:80 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4752 -> xxx.yyy.255.254:21 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4758 -> xxx.yyy.255.254:79 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4760 -> xxx.yyy.255.254:110 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4756 -> xxx.yyy.255.254:53 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4757 -> xxx.yyy.255.254:25 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4759 -> xxx.yyy.255.254:23 SYN ******S* 
> Aug 14 03:02:02 212.90.254.234:4767 -> xxx.yyy.255.254:3389 SYN ******S* 
> 710292
 

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the Intrusions mailing list