Strange port scan

Anderson Johnston andy at umbc.edu
Wed Nov 28 16:16:28 GMT 2001


Anyone know what the point of scanning 17300/tcp might be?

						- andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Tue, 27 Nov 2001 23:58:46 -0500 (EST)
From: analyst at umbc.edu
To: andy at umbc.edu, robin at umbc.edu, sziad1 at umbc.edu
Subject: Possible intrusion detected from your domain

On 27-nov-2001 at approximately 12:20 Eastern time (GMT-5) we
detected a SYN scan of port 17300 on hosts throughout our campus network from
source ip 212.93.218.26.  This ip is registered to:

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      212.93.215.0 - 212.93.222.255
netname:      FAISALIAH-1
descr:        Al Faisaliah Internet Services & Tecnology
country:      SA
admin-c:      AAA28-RIPE
tech-c:       ZS344-RIPE
status:       ASSIGNED PA
notify:       zaher at awalnet.net.sa
mnt-by:       AAA28-RIPE-MNT
changed:      abdullah at awalnet.net.sa 20010510
source:       RIPE

route:        212.93.192.0/19
descr:        Saudi Arabia backbone and local registry address space
descr:        Awalnet
origin:       AS8895
notify:       abuse-awalnet at isu.net.sa
mnt-by:       ISU-NOC
changed:      abuse-awalnet at isu.net.sa 20000311
source:       RIPE

person:       Abdullah Al Ashry
address:      Saudi Arabia - Riyadh - Olaya
phone:        +966 1 4600111
e-mail:       registry at awalnet.net.sa
nic-hdl:      AAA28-RIPE
notify:       registry at awalnet.net.sa
changed:      registry at awalnet.net.sa 19990501
source:       RIPE

person:       Zaher Salim
address:      Saudi Arabia - Riyadh - Olaya
phone:        +966 1 4600111
e-mail:       zaher at awalnet.net.sa
nic-hdl:      ZS344-RIPE
notify:       zaher at awalnet.net.sa
changed:      zaher at awalnet.net.sa 19990430
source:       RIPE




It is possible that a system in your domain has been compromised or is
otherwise being misused. We appreciate any action that you may take to
prevent such activity in the future.  We would also appreciate any
information that you may discover in the course of your investigations
regarding any problems or vulnerabilities in our systems.

If you have any questions or require further information, please
contact me using the information in the signature below.  This message
may be forwarded to you by a member of my staff, so please address your
response to andy at umbc.edu.

                                        Thank You,
					- Andy Johnston

**Please note that log reports mask our IP domain be default.  Our network
is 130.85.0.0/16 and "MY.NET" below stands for "130.85" or "umbc.edu" as
appropriate.

Log Excerpt:

Nov 27 12:20:41 212.93.218.26:3750 -> MY.NET.1.3:17300 SYN ******S*
Nov 27 12:20:41 212.93.218.26:3752 -> MY.NET.1.5:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3761 -> MY.NET.1.14:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3765 -> MY.NET.1.18:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3770 -> MY.NET.1.23:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3774 -> MY.NET.1.27:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3781 -> MY.NET.1.34:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3780 -> MY.NET.1.33:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3784 -> MY.NET.1.37:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3785 -> MY.NET.1.38:17300 SYN ******S*
Nov 27 12:20:42 212.93.218.26:3787 -> MY.NET.1.40:17300 SYN ******S*


------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------



More information about the unisog mailing list