Odd scan - ports 57 and 80

Anderson Johnston andy at umbc.edu
Wed Sep 18 14:44:35 GMT 2002


This is from the daily nastygrams we generate.  We got a scan of port 80
and of port 57 (Mail Transfer Protocol - RFC 780).  Anybody seen anything
like this or have any idea why someone might want to scan these particular
ports?

In this case, we can identify the IP's users as well as their ISP, but
neither group may know that this is going on.
							- andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------

---------- Forwarded message ----------

On 17-sep-2002 at approximately 13:41 Eastern time (GMT-4) we
detected a SYN scan of ports 57,80 on several hosts on our campus network from
source ip 216.60.56.226.  This ip is registered to:

Southwestern Bell Internet Services SBIS-BLK-2 (NET-216-60-0-0-1)
                                  216.60.0.0 - 216.63.255.255
Border Network ISP-BORDERNET3 (NET-216-60-56-0-1)
                                  216.60.56.0 - 216.60.57.255

# ARIN Whois database, last updated 2002-09-17 19:05
# Enter ? for additional hints on searching ARIN's Whois database.


It is possible that a system in your domain has been compromised or is
otherwise being misused. We appreciate any action that you may take to
prevent such activity in the future.  We would also appreciate any
information that you may discover in the course of your investigations
regarding any problems or vulnerabilities in our systems.

If you have any questions or require further information, please
contact me using the information in the signature below.  This message
may be forwarded to you by a member of my staff, so please address your
response to andy at umbc.edu.

                                        Thank You,
					- Andy Johnston

**Please note that log reports mask our IP domain be default.  Our network
is 130.85.0.0/16 and "MY.NET" below stands for "130.85" or "umbc.edu" as
appropriate.

Log Excerpt:

Sep 17 13:41:00 216.60.56.226:3568 -> MY.NET.70.64:57 SYN ******S*
Sep 17 13:40:59 216.60.56.226:3566 -> MY.NET.70.72:80 SYN ******S*
Sep 17 13:41:01 216.60.56.226:3580 -> MY.NET.70.72:57 SYN ******S*
Sep 17 13:40:59 216.60.56.226:3565 -> MY.NET.70.71:80 SYN ******S*
Sep 17 13:41:01 216.60.56.226:3579 -> MY.NET.70.71:57 SYN ******S*
Sep 17 13:40:59 216.60.56.226:3573 -> MY.NET.70.75:80 SYN ******S*
Sep 17 13:41:00 216.60.56.226:3575 -> MY.NET.70.75:57 SYN ******S*
Sep 17 13:41:00 216.60.56.226:3571 -> MY.NET.70.66:57 SYN ******S*
Sep 17 13:41:00 216.60.56.226:3569 -> MY.NET.70.73:80 SYN ******S*
Sep 17 13:41:01 216.60.56.226:3584 -> MY.NET.70.73:57 SYN ******S*
Sep 17 13:41:01 216.60.56.226:3576 -> MY.NET.70.77:80 SYN ******S*


------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------



More information about the unisog mailing list