[Dshield] Unusual UDP port scans -- forged (?) source IP 61.220.98.98 port 56933

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 13 22:23:54 GMT 2004


We started getting these really strange hits starting at noon US/Eastern (GMT-0500). To me, they look like a forged source IP and port. Anyone recognize this?

>From cisco router log:
> Feb 13 12:00:02 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 12:32:12 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 13:00:00 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 13:05:38 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 113 packets
> Feb 13 13:30:00 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 14:00:00 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 14:05:39 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 80 packets
> Feb 13 14:30:01 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 14:35:41 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 73 packets
> Feb 13 15:00:01 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 15:05:42 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 69 packets
> Feb 13 15:30:01 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 15:35:42 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 64 packets
> Feb 13 16:00:01 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 16:30:01 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 1 packet
> Feb 13 16:35:44 border8215 list 110 denied udp 61.220.98.98(56933) -> 63.113.59.66(32781), 59 packets

TIA for your help!

Jon

-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list