[Dshield] Strange Scan

bpennell@coxhealthplans.com bpennell at coxhealthplans.com
Wed Dec 28 18:35:56 GMT 2005


Can anyone tell me what's going on here?  The source address is scanning my block of public IPs.  

It's originating on port 80 and sending an ACK/RST to my entire subnet.  Anyone know what this is?

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=45054 PROTO=TCP SPT=80 DPT=6500 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=1517 PROTO=TCP SPT=80 DPT=17113 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.90 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=40373 PROTO=TCP SPT=80 DPT=93 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=59506 PROTO=TCP SPT=80 DPT=8060 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=13926 PROTO=TCP SPT=80 DPT=14303 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.74 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=294X PROTO=TCP SPT=80 DPT=7538 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=1344 PROTO=TCP SPT=80 DPT=1601 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=56730 PROTO=TCP SPT=80 DPT=4333 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.82 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=7318 PROTO=TCP SPT=80 DPT=24 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=18953 PROTO=TCP SPT=80 DPT=56 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.83 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=43877 PROTO=TCP SPT=80 DPT=2895 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=27816 PROTO=TCP SPT=80 DPT=5696 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=48158 PROTO=TCP SPT=80 DPT=307X WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.95 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=41638 PROTO=TCP SPT=80 DPT=7406 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=15282 PROTO=TCP SPT=80 DPT=91 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.83 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=7804 PROTO=TCP SPT=80 DPT=14978 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=43695 PROTO=TCP SPT=80 DPT=1884 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=7754 PROTO=TCP SPT=80 DPT=13389 WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.66 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=63012 PROTO=TCP SPT=80 DPT=24 WINDOW=0 RES=0x00 ACK RST URGP=0





More information about the list mailing list