[Dshield] Interesting scans
Jon Kibler
Jon.Kibler at aset.com
Mon Jul 7 20:41:57 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Over the past few days I have seen heavy scanning from a bot at IP
60.172.219.2. The really strange thing is that the scans always
originate from 12200/tcp. The scans are to one of 4 ports:
7212/tcp 80/tcp 8080/tcp 8000/tcp
Looking at the DShield stats, it appears that I am not the only one
being scanned by this bozo.
- From an old (2006) ISC Diary, I presume scans to 7212 are looking for
GhostSurf proxies that are open. Does anyone have information to the
contrary?
Does this scanning pattern identify any particular bot?
Can someone please explain how all scans always originate from the same
port? To me, that is REALLY weird. (However, this is not the first time
I have seen such behavior. Scans always originating from 6000 seem to be
common.)
Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhyf5UACgkQUVxQRc85QlPD9ACeKTHgoHW3dr8XLfsvzEbNAZoc
kmwAnR3lXjaoTFk9+2Az6e69CDd7tTbp
=NnH8
-----END PGP SIGNATURE-----
=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the list
mailing list