Major campus-wide scans at UNC

Jeff Bollinger jeff01 at email.unc.edu
Fri Mar 1 16:53:33 GMT 2002


Has anyone else seen a major scan coming across their networks on a 
*large* number of ports?  We're seeing ports

20
 > 21
 > 22
 > 23
 > 25
 > 43
 > 49
 > 53
 > 69
 > 70
 > 79
 > 80
 > 101
 > 110
 > 111
 > 117
 > 118
 > 119
 > 137
 > 139
 > 143
 > 161
 > 162
 > 194
 > 220
 > 443
 > 445
 > 513
 > 515
 > 1080
 > 1433
 > 2049
 > 3306
 > 3389
 > 5631
 > 6000
 > 8000
 > 34567


This scan has locked out a lot of accounts across campus (including some 
PDCs), and we're seeing the scans coming from these IPs:

165.194.14.133
 > 202.56.228.2
 > 202.56.228.3
 > 202.56.228.4
 > 202.56.228.5
 > 203.199.121.4
 > 203.199.121.6
 > 210.68.146.225
 > 210.69.151.10
 > 210.69.30.2
 > 63.120.163.97


It looks like an insane Nessus scan that's causing a DDoS because we 
haven't seen any major compromises.  We are also wondering if this may 
be a "smokescreen" because we have all these boxes trying so many 
different exploits on the same systems?

Thanks,
Jeff

-- 
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu



More information about the unisog mailing list