[Intrusions] Re: [unisog] Scanning ports

James Riden j.riden at massey.ac.nz
Sat Sep 4 06:30:41 GMT 2004 

You've got your answer elsewhere (BitTorrent), but this pattern of IP
addresses is fairly indicative of Peer to Peer file-sharing programs
in general. 24/8 is a big cable allocation in the States I think. It's
always worth checking the rDNS on a few of the targets if you're not
sure - DSL and University residential networks tend to crop up a lot.

cheers,
 Jamie

Anderson Johnston <andy at umbc.edu> writes:

> A system in our residential network looks to be scanning
> random IPs, mostly on port 6881.  Does this scanning pattern seem
> familiar to anyone?
>
> 				Thanks,
> 					- Andy
>
> 09/03-11:42:26.692137 MY.NET.RES.NET:3616 -> 62.150.3.166:6881
> 09/03-11:42:26.711071 MY.NET.RES.NET:3086 -> 24.93.233.51:6881
> 09/03-11:42:26.916746 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:26.920837 MY.NET.RES.NET:3086 -> 24.93.233.51:6881
> 09/03-11:42:26.921908 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:26.945702 MY.NET.RES.NET:2256 -> 67.161.251.75:15187
> 09/03-11:42:26.946298 MY.NET.RES.NET:2016 -> 152.7.31.87:30000
> 09/03-11:42:26.947416 MY.NET.RES.NET:1878 -> 81.57.74.192:49155
> 09/03-11:42:26.956231 MY.NET.RES.NET:4108 -> 82.203.133.145:6881
> 09/03-11:42:26.958265 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:26.982218 MY.NET.RES.NET:3086 -> 24.93.233.51:6881
> 09/03-11:42:26.984748 MY.NET.RES.NET:4333 -> 68.145.8.37:6883
> 09/03-11:42:27.012817 MY.NET.RES.NET:4108 -> 82.203.133.145:6881
> 09/03-11:42:27.022478 MY.NET.RES.NET:3086 -> 24.93.233.51:6881
> 09/03-11:42:27.056162 MY.NET.RES.NET:2238 -> 24.33.16.169:6884
> 09/03-11:42:27.066587 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:27.079152 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:27.090167 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:27.134350 MY.NET.RES.NET:4108 -> 82.203.133.145:6881
> 09/03-11:42:27.139744 MY.NET.RES.NET:1857 -> 217.208.223.93:6881
> 09/03-11:42:27.146521 MY.NET.RES.NET:4311 -> 220.255.177.222:6881
> 09/03-11:42:27.146543 MY.NET.RES.NET:1850 -> 218.214.12.17:4001
> 09/03-11:42:27.147898 MY.NET.RES.NET:1857 -> 217.208.223.93:6881

-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Intrusions mailing list