[Dshield] Port scanning from grc.com

bsshq@bearserco.com bsshq at bearserco.com
Wed Aug 6 13:10:31 GMT 2003


I am seeing the same activity from grc.com. The scanning of my ports started
July 31 and continue.

Regards,
Jim Brown

----- Original Message -----
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: <list at dshield.org>
Sent: Wednesday, August 06, 2003 7:07 AM
Subject: [Dshield] Port scanning from grc.com


> Over the past week or so (starting with the 7/31 report) I started
> noticing port scans from 204.1.226.226 on my daily DShield report.  This
> IP resolves to grc.com - yep, it appears Gibson Research Corp. is
> portscanning lil ol' me!  They scan between 3 and 5 ports each day. Here
> is a sample of my log entries:
>
>
> Aug  4 00:41:21 osiris kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:20:ea:cd:4c:27:08:00 SRC=204.1.226.226
> DST=216.39.204.31 LEN=40 TOS=0x00 PREC=0x00 TTL=110
> ID=47130 DF PROTO=TCP SPT=80 DPT=57346 WINDOW=8760 RES=0x00 ACK SYN
> URGP=0
> Aug  4 01:31:22 osiris kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:20:ea:cd:4c:27:08:00 SRC=204.1.226.226
> DST=216.39.204.16 LEN=40 TOS=0x00 PREC=0x00 TTL=110
> ID=36107 DF PROTO=TCP SPT=80 DPT=25123 WINDOW=8760 RES=0x00 ACK SYN
> URGP=0
> Aug  4 10:09:37 osiris kernel: IN=eth0 OUT=
> MAC=00:50:8b:b0:06:10:00:20:ea:cd:4c:27:08:00 SRC=204.1.226.226
> DST=216.39.204.25 LEN=40 TOS=0x00 PREC=0x00 TTL=110
> ID=18290 DF PROTO=TCP SPT=80 DPT=59900 WINDOW=8760 RES=0x00 ACK SYN
> URGP=0
>
>
> In looking at the log entries for 8/4, they hit 3 of my IPs - my WAN
> interface, my broadcast address, and one of my systems.  They show a SRC
> of 80 and different DST ports in the high order.  They have the SYN ACK
> flag set, as if they were responding to a connection originated by me.
> Now, while I could see my systems doing this (though I would start
> looking for a trojan, as I haven't visited grc.com lately), I don't
> understand why anyone would be responding to connection requests from my
> WAN interface / broadcast address?
>
> Is this some time of bizarre new "advanced research" project they are
> doing?  Have they hired John Poindexter from DARPA? ;-)  Inquiring (and
> puzzled) minds want to know...
>
> --
> ---
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list