[Dshield] Port scans

Meidinger Chris chris.meidinger at badenit.de
Wed Mar 16 11:19:21 GMT 2005


 Hi Barton,

i see a lot of this on a couple of machines that are hosted in different
places, such as strato's 81.169.* subnet. My theory is that:

1) the MS stuff is broadcast junk from hosted machines that dont have a 32
netmask. (Hosted machines should have 32, assuming you only have one machine
hosted)
2) worm activity that starts in the local subnet and works its way out. This
is a sensible thing for worm authors to do, becaues the local subnet are
machines that are most likely reachable without firewall/whatever in
between.

Cheers,

Chris

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of admin
> Sent: Tuesday, March 15, 2005 7:35 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Port scans
> 
> When I look at my log files I see that I get many more port 
> scans from the same IP range as mine. I am with SBC in LA and 
> my IP is 68.122.xxx.xxx and most of the port scans and MS 
> junk is all from others with this IP range. What am I 
> missing? What is it about the Net topology that makes most of 
> the junk come from the same range? This is a serious 
> question, I really would like to know.
> 
> Thanks
> 
> --
> ----------------
> Barton L. Phillips
> Applied Technology Resources, Inc.
> Tel: (818)652-9850
> Web: http://www.applitec.com
> 
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list