[Intrusions] [LOGS] Summary of large-scale portscanning detects

Earnhart, Benjamin J benjamin-earnhart at uiowa.edu
Sun Jan 9 22:38:07 GMT 2005 

I may be mis-interpreting your issue, but do you mean to say that
169.226.104.181 is a private address (part of the 169.254.0.0/16 address
space Microsoft boxes use for IP autoconfig?). 

169.226.104.181 is an ordinary public IP, that AFAICT belongs to
Albany.edu.    


> -----Original Message-----
> From: intrusions-bounces at lists.sans.org [mailto:intrusions-
> bounces at lists.sans.org] On Behalf Of Rodney Wise
> Sent: Sunday, January 09, 2005 10:25 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] [LOGS] Summary of large-scale portscanning
> detects
> 
> What I don't understand is why the traffic is being
> generated and stopped from the auto-config addresses
> below:
> 
> Jan  8 01:00:41 169.226.104.181:2413 ->
> xxx.yyy.1.1:3306 SYN ******S*
> Jan  8 01:00:41 169.226.104.181:2414 ->
> xxx.yyy.1.2:3306 SYN ******S*
> Jan  8 01:00:41 169.226.104.181:2415 ->
> xxx.yyy.1.3:3306 SYN ******S*
> Jan  8 01:00:43 169.226.104.181:2416 ->
> xxx.yyy.1.4:3306 SYN ******S*
> Jan  8 01:00:43 169.226.104.181:2417 ->
> xxx.yyy.1.5:3306 SYN ******S*
> Jan  8 01:00:43 169.226.104.181:2418 ->
> xxx.yyy.1.6:3306 SYN ******S*
> Jan  8 01:00:43 169.226.104.181:2419 ->
> xxx.yyy.1.7:3306 SYN ******S*
> Jan  8 01:00:41 169.226.104.181:2420 ->
> xxx.yyy.1.8:3306 SYN ******S*
> [...]
> Jan  8 18:50:49 169.226.104.181:2640 ->
> xxx.yyy.212.75:3306 SYN
> ******S*
> Jan  8 18:50:47 169.226.104.181:2583 ->
> xxx.yyy.237.7:3306 SYN ******S*
> Jan  8 18:50:48 169.226.104.181:2629 ->
> xxx.yyy.240.211:3306 SYN
> ******S*
> Jan  8 18:50:50 169.226.104.181:2658 ->
> xxx.yyy.236.23:3306 SYN
> ******S*
> Jan  8 18:50:50 169.226.104.181:2662 ->
> xxx.yyy.236.51:3306 SYN
> ******S*
> Jan  8 18:50:50 169.226.104.181:2664 ->
> xxx.yyy.237.7:3306 SYN ******S*
> Jan  8 18:50:50 169.226.104.181:2666 ->
> xxx.yyy.241.179:3306 SYN
> ******S*
> Jan  8 18:50:53 169.226.104.181:2701 ->
> xxx.yyy.240.211:3306 SYN
> ******S*
> Jan  8 18:50:55 169.226.104.181:2716 ->
> xxx.yyy.240.211:3306 SYN
> ******S*
> 62150
> 
> 
> Rodney Wise
> --- Ken.Connelly at uni.edu wrote:
> 
> > The following extracts show the beginning and ending

More information about the Intrusions mailing list