[Dshield] Interesting scans

Jon Kibler Jon.Kibler at aset.com
Mon Jul 7 20:41:57 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Over the past few days I have seen heavy scanning from a bot at IP
60.172.219.2. The really strange thing is that the scans always
originate from 12200/tcp. The scans are to one of 4 ports:
	7212/tcp  	  80/tcp          8080/tcp          8000/tcp  
Looking at the DShield stats, it appears that I am not the only one
being scanned by this bozo.

- From an old (2006) ISC Diary, I presume scans to 7212 are looking for
GhostSurf proxies that are open. Does anyone have information to the
contrary?

Does this scanning pattern identify any particular bot?

Can someone please explain how all scans always originate from the same
port? To me, that is REALLY weird. (However, this is not the first time
I have seen such behavior. Scans always originating from 6000 seem to be
common.)

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhyf5UACgkQUVxQRc85QlPD9ACeKTHgoHW3dr8XLfsvzEbNAZoc
kmwAnR3lXjaoTFk9+2Az6e69CDd7tTbp
=NnH8
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list