[Dshield] Interesting scans
Jon.Kibler at aset.com
Mon Jul 7 20:41:57 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Over the past few days I have seen heavy scanning from a bot at IP
18.104.22.168. The really strange thing is that the scans always
originate from 12200/tcp. The scans are to one of 4 ports:
7212/tcp 80/tcp 8080/tcp 8000/tcp
Looking at the DShield stats, it appears that I am not the only one
being scanned by this bozo.
- From an old (2006) ISC Diary, I presume scans to 7212 are looking for
GhostSurf proxies that are open. Does anyone have information to the
Does this scanning pattern identify any particular bot?
Can someone please explain how all scans always originate from the same
port? To me, that is REALLY weird. (However, this is not the first time
I have seen such behavior. Scans always originating from 6000 seem to be
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list