[Intrusions] [LOGS] Summary of large-scale portscanning detects

Rodney Wise sctech29169 at yahoo.com
Sun Jan 9 16:25:17 GMT 2005 

What I don't understand is why the traffic is being
generated and stopped from the auto-config addresses
below:

Jan  8 01:00:41 169.226.104.181:2413 ->
xxx.yyy.1.1:3306 SYN ******S* 
Jan  8 01:00:41 169.226.104.181:2414 ->
xxx.yyy.1.2:3306 SYN ******S* 
Jan  8 01:00:41 169.226.104.181:2415 ->
xxx.yyy.1.3:3306 SYN ******S* 
Jan  8 01:00:43 169.226.104.181:2416 ->
xxx.yyy.1.4:3306 SYN ******S* 
Jan  8 01:00:43 169.226.104.181:2417 ->
xxx.yyy.1.5:3306 SYN ******S* 
Jan  8 01:00:43 169.226.104.181:2418 ->
xxx.yyy.1.6:3306 SYN ******S* 
Jan  8 01:00:43 169.226.104.181:2419 ->
xxx.yyy.1.7:3306 SYN ******S* 
Jan  8 01:00:41 169.226.104.181:2420 ->
xxx.yyy.1.8:3306 SYN ******S* 
[...]
Jan  8 18:50:49 169.226.104.181:2640 ->
xxx.yyy.212.75:3306 SYN 
******S* 
Jan  8 18:50:47 169.226.104.181:2583 ->
xxx.yyy.237.7:3306 SYN ******S* 
Jan  8 18:50:48 169.226.104.181:2629 ->
xxx.yyy.240.211:3306 SYN 
******S* 
Jan  8 18:50:50 169.226.104.181:2658 ->
xxx.yyy.236.23:3306 SYN 
******S* 
Jan  8 18:50:50 169.226.104.181:2662 ->
xxx.yyy.236.51:3306 SYN 
******S* 
Jan  8 18:50:50 169.226.104.181:2664 ->
xxx.yyy.237.7:3306 SYN ******S* 
Jan  8 18:50:50 169.226.104.181:2666 ->
xxx.yyy.241.179:3306 SYN 
******S* 
Jan  8 18:50:53 169.226.104.181:2701 ->
xxx.yyy.240.211:3306 SYN 
******S* 
Jan  8 18:50:55 169.226.104.181:2716 ->
xxx.yyy.240.211:3306 SYN 
******S* 
62150


Rodney Wise
--- Ken.Connelly at uni.edu wrote:

> The following extracts show the beginning and ending
> of scan activity
> was detected on my network.  The number following
> each set is the total
> number of probes for that source.  Timestamps are
> GMT-0600.
> 
> Jan  8 16:09:21 195.200.19.197:3049 ->
> xxx.yyy.207.1:5900 SYN ******S* 
> Jan  8 16:09:21 195.200.19.197:3050 ->
> xxx.yyy.207.1:4899 SYN ******S* 
> Jan  8 16:09:21 195.200.19.197:3054 ->
> xxx.yyy.207.1:42 SYN ******S* 
> Jan  8 16:09:21 195.200.19.197:3056 ->
> xxx.yyy.207.2:5900 SYN ******S* 
> Jan  8 16:09:21 195.200.19.197:3057 ->
> xxx.yyy.207.2:4899 SYN ******S* 
> Jan  8 16:09:22 195.200.19.197:3061 ->
> xxx.yyy.207.2:42 SYN ******S* 
> Jan  8 16:09:20 195.200.19.197:3062 ->
> xxx.yyy.207.3:5900 SYN ******S* 
> Jan  8 16:09:20 195.200.19.197:3063 ->
> xxx.yyy.207.3:4899 SYN ******S* 
> [...]
> Jan  8 23:26:23 195.200.19.197:2150 ->
> xxx.yyy.177.125:4899 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2149 ->
> xxx.yyy.177.125:5900 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2154 ->
> xxx.yyy.177.125:42 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2163 ->
> xxx.yyy.177.100:139 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2141 ->
> xxx.yyy.177.126:5900 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2148 ->
> xxx.yyy.177.126:42 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2142 ->
> xxx.yyy.177.126:4899 SYN ******S* 
> Jan  8 23:26:23 195.200.19.197:2159 ->
> xxx.yyy.177.99:139 SYN ******S* 
> 585089
> 
> Jan  8 03:48:54 218.234.226.85:1597 ->
> xxx.yyy.1.0:12345 SYN ******S* 
> Jan  8 03:48:54 218.234.226.85:1600 ->
> xxx.yyy.1.0:27374 SYN ******S* 
> Jan  8 03:48:52 218.234.226.85:1608 ->
> xxx.yyy.1.0:901 SYN ******S* 
> Jan  8 03:48:52 218.234.226.85:1610 ->
> xxx.yyy.1.0:3410 SYN ******S* 
> Jan  8 03:48:54 218.234.226.85:1614 ->
> xxx.yyy.1.1:12345 SYN ******S* 
> Jan  8 03:48:54 218.234.226.85:1632 ->
> xxx.yyy.1.1:27374 SYN ******S* 
> Jan  8 03:48:53 218.234.226.85:1634 ->
> xxx.yyy.1.1:901 SYN ******S* 
> Jan  8 03:48:53 218.234.226.85:1665 ->
> xxx.yyy.1.1:3410 SYN ******S* 
> [...]
> Jan  8 08:28:54 218.234.226.85:1598 ->
> xxx.yyy.218.252:901 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1599 ->
> xxx.yyy.218.252:3410 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1686 ->
> xxx.yyy.219.8:12345 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1687 ->
> xxx.yyy.219.8:27374 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1718 ->
> xxx.yyy.219.8:901 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1721 ->
> xxx.yyy.219.8:3410 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1600 ->
> xxx.yyy.218.253:12345 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1601 ->
> xxx.yyy.218.253:27374 SYN ******S* 
> Jan  8 08:28:54 218.234.226.85:1602 ->
> xxx.yyy.218.253:901 SYN ******S* 
> 243831
> 
> Jan  8 14:40:54 24.176.228.48:3369 ->
> xxx.yyy.164.1:5900 SYN ******S* 
> Jan  8 14:40:51 24.176.228.48:3370 ->
> xxx.yyy.164.1:4899 SYN ******S* 
> Jan  8 14:40:54 24.176.228.48:3374 ->
> xxx.yyy.164.1:42 SYN ******S* 
> Jan  8 14:40:54 24.176.228.48:3375 ->
> xxx.yyy.164.2:5900 SYN ******S* 
> Jan  8 14:40:54 24.176.228.48:3376 ->
> xxx.yyy.164.2:4899 SYN ******S* 
> Jan  8 14:40:55 24.176.228.48:3380 ->
> xxx.yyy.164.2:42 SYN ******S* 
> Jan  8 14:40:52 24.176.228.48:3381 ->
> xxx.yyy.164.3:5900 SYN ******S* 
> Jan  8 14:40:52 24.176.228.48:3382 ->
> xxx.yyy.164.3:4899 SYN ******S* 
> [...]
> Jan  8 17:04:48 24.176.228.48:2495 ->
> xxx.yyy.170.238:4899 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2499 ->
> xxx.yyy.170.238:42 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2501 ->
> xxx.yyy.170.239:4899 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2506 ->
> xxx.yyy.170.239:42 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2505 ->
> xxx.yyy.170.240:5900 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2507 ->
> xxx.yyy.170.240:4899 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2511 ->
> xxx.yyy.170.240:42 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2512 ->
> xxx.yyy.170.241:5900 SYN ******S* 
> Jan  8 17:04:49 24.176.228.48:2513 ->
> xxx.yyy.170.241:4899 SYN ******S* 
> 130684
> 
> Jan  8 18:14:50 206.74.118.180:4758 ->
> xxx.yyy.1.0:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4774 ->
> xxx.yyy.1.1:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4786 ->
> xxx.yyy.1.2:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4791 ->
> xxx.yyy.1.3:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4800 ->
> xxx.yyy.1.4:1433 SYN ******S* 
> Jan  8 18:14:47 206.74.118.180:4803 ->
> xxx.yyy.1.5:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4820 ->
> xxx.yyy.1.6:1433 SYN ******S* 
> Jan  8 18:14:50 206.74.118.180:4861 ->
> xxx.yyy.1.7:1433 SYN ******S* 
> [...]
> Jan  8 22:04:06 206.74.118.180:3184 ->
> xxx.yyy.255.247:1433 SYN ******S* 
> Jan  8 22:04:07 206.74.118.180:3295 ->
> xxx.yyy.255.248:1433 SYN ******S* 
> Jan  8 22:04:07 206.74.118.180:3319 ->
> xxx.yyy.255.249:1433 SYN ******S* 
> Jan  8 22:04:07 206.74.118.180:3335 ->
> xxx.yyy.255.250:1433 SYN ******S* 
> Jan  8 22:04:08 206.74.118.180:3408 ->
> xxx.yyy.255.251:1433 SYN ******S* 
> Jan  8 22:04:08 206.74.118.180:3415 ->
> xxx.yyy.255.252:1433 SYN ******S* 
> Jan  8 22:04:08 206.74.118.180:3422 ->
> xxx.yyy.255.253:1433 SYN ******S* 
> Jan  8 22:04:09 206.74.118.180:3487 ->
> xxx.yyy.255.254:1433 SYN ******S* 
> 111168
> 
> Jan  8 13:25:55 66.192.236.109:1820 ->
> xxx.yyy.1.0:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1821 ->
> xxx.yyy.1.1:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1822 ->
> xxx.yyy.1.2:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1823 ->
> xxx.yyy.1.3:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1824 ->
> xxx.yyy.1.4:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1826 ->
> xxx.yyy.1.6:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1827 ->
> xxx.yyy.1.7:1433 SYN ******S* 
> Jan  8 13:25:55 66.192.236.109:1828 ->
> xxx.yyy.1.8:1433 SYN ******S* 
> [...]
> Jan  8 17:14:53 66.192.236.109:63293 ->
> xxx.yyy.255.251:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63286 ->
> xxx.yyy.255.244:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63289 ->
> xxx.yyy.255.247:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63290 ->
> xxx.yyy.255.248:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63287 ->
> xxx.yyy.255.245:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63294 ->
> xxx.yyy.255.252:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63291 ->
> xxx.yyy.255.249:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63288 ->
> xxx.yyy.255.246:1433 SYN ******S* 
> Jan  8 17:14:53 66.192.236.109:63296 ->
> xxx.yyy.255.254:1433 SYN ******S* 
> 99872
> 
> Jan  8 02:46:38 82.142.94.145:20024 ->
> xxx.yyy.85.1:5900 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:1957 ->
> xxx.yyy.85.1:4899 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:20029 ->
> xxx.yyy.85.1:42 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:20025 ->
> xxx.yyy.85.2:5900 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:16705 ->
> xxx.yyy.85.2:4899 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:16713 ->
> xxx.yyy.85.2:42 SYN ******S* 
> Jan  8 02:46:38 82.142.94.145:16717 ->
> xxx.yyy.85.3:5900 
=== message truncated ===


=====
I have set up low cost web hosting and domain registration for anyone that needs it. http://www.scwebhost.net
Rodney


		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail

More information about the Intrusions mailing list