[unisog] Re: Coordinated Scan

Anderson Johnston andy at umbc.edu
Fri Mar 22 20:30:57 GMT 2002


On Fri, 22 Mar 2002, Sherry M. Rogers wrote:

>
> We were one of the campuses with hosts involved in the scan Tracey
> described.  Our network people blocked a couple of hosts because of what
> looked like ddos activity and we were able to correlate this with odd
> packets being flagged by our NIDS (bro) as excessive length ntp/port 123
> traffic.
>
> We identified 13 Windows hosts altogether.  When scanned with nmap there
> were two interesting ports open - a port 99 which disappeared on
> subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
> was running a program written by "darkIRC".
>

8888/tcp or 8888/udp?

					- andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------



More information about the unisog mailing list