[Intrusions] [LOGS] Summary of large-scale portscanning detects

Ken Connelly Ken.Connelly at uni.edu
Sun Jan 9 22:46:22 GMT 2005 

auto-config??  169.226.0.0/16 is albany.edu (State Univerisity of New 
York at Albany).

- ken

Rodney Wise wrote:

>What I don't understand is why the traffic is being
>generated and stopped from the auto-config addresses
>below:
>
>Jan  8 01:00:41 169.226.104.181:2413 ->
>xxx.yyy.1.1:3306 SYN ******S* 
>Jan  8 01:00:41 169.226.104.181:2414 ->
>xxx.yyy.1.2:3306 SYN ******S* 
>Jan  8 01:00:41 169.226.104.181:2415 ->
>xxx.yyy.1.3:3306 SYN ******S* 
>Jan  8 01:00:43 169.226.104.181:2416 ->
>xxx.yyy.1.4:3306 SYN ******S* 
>Jan  8 01:00:43 169.226.104.181:2417 ->
>xxx.yyy.1.5:3306 SYN ******S* 
>Jan  8 01:00:43 169.226.104.181:2418 ->
>xxx.yyy.1.6:3306 SYN ******S* 
>Jan  8 01:00:43 169.226.104.181:2419 ->
>xxx.yyy.1.7:3306 SYN ******S* 
>Jan  8 01:00:41 169.226.104.181:2420 ->
>xxx.yyy.1.8:3306 SYN ******S* 
>[...]
>Jan  8 18:50:49 169.226.104.181:2640 ->
>xxx.yyy.212.75:3306 SYN 
>******S* 
>Jan  8 18:50:47 169.226.104.181:2583 ->
>xxx.yyy.237.7:3306 SYN ******S* 
>Jan  8 18:50:48 169.226.104.181:2629 ->
>xxx.yyy.240.211:3306 SYN 
>******S* 
>Jan  8 18:50:50 169.226.104.181:2658 ->
>xxx.yyy.236.23:3306 SYN 
>******S* 
>Jan  8 18:50:50 169.226.104.181:2662 ->
>xxx.yyy.236.51:3306 SYN 
>******S* 
>Jan  8 18:50:50 169.226.104.181:2664 ->
>xxx.yyy.237.7:3306 SYN ******S* 
>Jan  8 18:50:50 169.226.104.181:2666 ->
>xxx.yyy.241.179:3306 SYN 
>******S* 
>Jan  8 18:50:53 169.226.104.181:2701 ->
>xxx.yyy.240.211:3306 SYN 
>******S* 
>Jan  8 18:50:55 169.226.104.181:2716 ->
>xxx.yyy.240.211:3306 SYN 
>******S* 
>62150
>
>
>Rodney Wise
>--- Ken.Connelly at uni.edu wrote:
>
>  
>
>>The following extracts show the beginning and ending
>>of scan activity
>>was detected on my network.  The number following
>>each set is the total
>>number of probes for that source.  Timestamps are
>>GMT-0600.
>>
>>Jan  8 16:09:21 195.200.19.197:3049 ->
>>xxx.yyy.207.1:5900 SYN ******S* 
>>Jan  8 16:09:21 195.200.19.197:3050 ->
>>xxx.yyy.207.1:4899 SYN ******S* 
>>Jan  8 16:09:21 195.200.19.197:3054 ->
>>xxx.yyy.207.1:42 SYN ******S* 
>>Jan  8 16:09:21 195.200.19.197:3056 ->
>>xxx.yyy.207.2:5900 SYN ******S* 
>>Jan  8 16:09:21 195.200.19.197:3057 ->
>>xxx.yyy.207.2:4899 SYN ******S* 
>>Jan  8 16:09:22 195.200.19.197:3061 ->
>>xxx.yyy.207.2:42 SYN ******S* 
>>Jan  8 16:09:20 195.200.19.197:3062 ->
>>xxx.yyy.207.3:5900 SYN ******S* 
>>Jan  8 16:09:20 195.200.19.197:3063 ->
>>xxx.yyy.207.3:4899 SYN ******S* 
>>[...]
>>Jan  8 23:26:23 195.200.19.197:2150 ->
>>xxx.yyy.177.125:4899 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2149 ->
>>xxx.yyy.177.125:5900 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2154 ->
>>xxx.yyy.177.125:42 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2163 ->
>>xxx.yyy.177.100:139 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2141 ->
>>xxx.yyy.177.126:5900 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2148 ->
>>xxx.yyy.177.126:42 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2142 ->
>>xxx.yyy.177.126:4899 SYN ******S* 
>>Jan  8 23:26:23 195.200.19.197:2159 ->
>>xxx.yyy.177.99:139 SYN ******S* 
>>585089
>>
>>Jan  8 03:48:54 218.234.226.85:1597 ->
>>xxx.yyy.1.0:12345 SYN ******S* 
>>Jan  8 03:48:54 218.234.226.85:1600 ->
>>xxx.yyy.1.0:27374 SYN ******S* 
>>Jan  8 03:48:52 218.234.226.85:1608 ->
>>xxx.yyy.1.0:901 SYN ******S* 
>>Jan  8 03:48:52 218.234.226.85:1610 ->
>>xxx.yyy.1.0:3410 SYN ******S* 
>>Jan  8 03:48:54 218.234.226.85:1614 ->
>>xxx.yyy.1.1:12345 SYN ******S* 
>>Jan  8 03:48:54 218.234.226.85:1632 ->
>>xxx.yyy.1.1:27374 SYN ******S* 
>>Jan  8 03:48:53 218.234.226.85:1634 ->
>>xxx.yyy.1.1:901 SYN ******S* 
>>Jan  8 03:48:53 218.234.226.85:1665 ->
>>xxx.yyy.1.1:3410 SYN ******S* 
>>[...]
>>Jan  8 08:28:54 218.234.226.85:1598 ->
>>xxx.yyy.218.252:901 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1599 ->
>>xxx.yyy.218.252:3410 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1686 ->
>>xxx.yyy.219.8:12345 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1687 ->
>>xxx.yyy.219.8:27374 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1718 ->
>>xxx.yyy.219.8:901 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1721 ->
>>xxx.yyy.219.8:3410 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1600 ->
>>xxx.yyy.218.253:12345 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1601 ->
>>xxx.yyy.218.253:27374 SYN ******S* 
>>Jan  8 08:28:54 218.234.226.85:1602 ->
>>xxx.yyy.218.253:901 SYN ******S* 
>>243831
>>
>>Jan  8 14:40:54 24.176.228.48:3369 ->
>>xxx.yyy.164.1:5900 SYN ******S* 
>>Jan  8 14:40:51 24.176.228.48:3370 ->
>>xxx.yyy.164.1:4899 SYN ******S* 
>>Jan  8 14:40:54 24.176.228.48:3374 ->
>>xxx.yyy.164.1:42 SYN ******S* 
>>Jan  8 14:40:54 24.176.228.48:3375 ->
>>xxx.yyy.164.2:5900 SYN ******S* 
>>Jan  8 14:40:54 24.176.228.48:3376 ->
>>xxx.yyy.164.2:4899 SYN ******S* 
>>Jan  8 14:40:55 24.176.228.48:3380 ->
>>xxx.yyy.164.2:42 SYN ******S* 
>>Jan  8 14:40:52 24.176.228.48:3381 ->
>>xxx.yyy.164.3:5900 SYN ******S* 
>>Jan  8 14:40:52 24.176.228.48:3382 ->
>>xxx.yyy.164.3:4899 SYN ******S* 
>>[...]
>>Jan  8 17:04:48 24.176.228.48:2495 ->
>>xxx.yyy.170.238:4899 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2499 ->
>>xxx.yyy.170.238:42 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2501 ->
>>xxx.yyy.170.239:4899 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2506 ->
>>xxx.yyy.170.239:42 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2505 ->
>>xxx.yyy.170.240:5900 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2507 ->
>>xxx.yyy.170.240:4899 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2511 ->
>>xxx.yyy.170.240:42 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2512 ->
>>xxx.yyy.170.241:5900 SYN ******S* 
>>Jan  8 17:04:49 24.176.228.48:2513 ->
>>xxx.yyy.170.241:4899 SYN ******S* 
>>130684
>>
>>Jan  8 18:14:50 206.74.118.180:4758 ->
>>xxx.yyy.1.0:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4774 ->
>>xxx.yyy.1.1:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4786 ->
>>xxx.yyy.1.2:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4791 ->
>>xxx.yyy.1.3:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4800 ->
>>xxx.yyy.1.4:1433 SYN ******S* 
>>Jan  8 18:14:47 206.74.118.180:4803 ->
>>xxx.yyy.1.5:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4820 ->
>>xxx.yyy.1.6:1433 SYN ******S* 
>>Jan  8 18:14:50 206.74.118.180:4861 ->
>>xxx.yyy.1.7:1433 SYN ******S* 
>>[...]
>>Jan  8 22:04:06 206.74.118.180:3184 ->
>>xxx.yyy.255.247:1433 SYN ******S* 
>>Jan  8 22:04:07 206.74.118.180:3295 ->
>>xxx.yyy.255.248:1433 SYN ******S* 
>>Jan  8 22:04:07 206.74.118.180:3319 ->
>>xxx.yyy.255.249:1433 SYN ******S* 
>>Jan  8 22:04:07 206.74.118.180:3335 ->
>>xxx.yyy.255.250:1433 SYN ******S* 
>>Jan  8 22:04:08 206.74.118.180:3408 ->
>>xxx.yyy.255.251:1433 SYN ******S* 
>>Jan  8 22:04:08 206.74.118.180:3415 ->
>>xxx.yyy.255.252:1433 SYN ******S* 
>>Jan  8 22:04:08 206.74.118.180:3422 ->
>>xxx.yyy.255.253:1433 SYN ******S* 
>>Jan  8 22:04:09 206.74.118.180:3487 ->
>>xxx.yyy.255.254:1433 SYN ******S* 
>>111168
>>
>>Jan  8 13:25:55 66.192.236.109:1820 ->
>>xxx.yyy.1.0:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1821 ->
>>xxx.yyy.1.1:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1822 ->
>>xxx.yyy.1.2:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1823 ->
>>xxx.yyy.1.3:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1824 ->
>>xxx.yyy.1.4:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1826 ->
>>xxx.yyy.1.6:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1827 ->
>>xxx.yyy.1.7:1433 SYN ******S* 
>>Jan  8 13:25:55 66.192.236.109:1828 ->
>>xxx.yyy.1.8:1433 SYN ******S* 
>>[...]
>>Jan  8 17:14:53 66.192.236.109:63293 ->
>>xxx.yyy.255.251:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63286 ->
>>xxx.yyy.255.244:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63289 ->
>>xxx.yyy.255.247:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63290 ->
>>xxx.yyy.255.248:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63287 ->
>>xxx.yyy.255.245:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63294 ->
>>xxx.yyy.255.252:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63291 ->
>>xxx.yyy.255.249:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63288 ->
>>xxx.yyy.255.246:1433 SYN ******S* 
>>Jan  8 17:14:53 66.192.236.109:63296 ->
>>xxx.yyy.255.254:1433 SYN ******S* 
>>99872
>>
>>Jan  8 02:46:38 82.142.94.145:20024 ->
>>xxx.yyy.85.1:5900 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:1957 ->
>>xxx.yyy.85.1:4899 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:20029 ->
>>xxx.yyy.85.1:42 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:20025 ->
>>xxx.yyy.85.2:5900 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:16705 ->
>>xxx.yyy.85.2:4899 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:16713 ->
>>xxx.yyy.85.2:42 SYN ******S* 
>>Jan  8 02:46:38 82.142.94.145:16717 ->
>>xxx.yyy.85.3:5900 
>>    
>>
>=== message truncated ===
>
>
>=====
>I have set up low cost web hosting and domain registration for anyone that needs it. http://www.scwebhost.net
>Rodney
>
>
>		
>__________________________________ 
>Do you Yahoo!? 
>Read only the mail you want - Yahoo! Mail SpamGuard. 
>http://promotions.yahoo.com/new_mail 
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>  
>

More information about the Intrusions mailing list