[unisog] Odd scan - ports 57 and 80

Peter Van Epp vanepp at sfu.ca
Wed Sep 18 17:52:15 GMT 2002


	We saw a largely unsuccessful (although I just saw a report that a 
user on that subnet has removed a machine they believe was compromised) 
ping/port 57/port 80 scan from 213.64.139.37 on the morning of the 17th down
one of our class Cs.  I'll have to have a closer look for a longer time on the 
host reported possibly compromised and see what happened.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> 
> This is from the daily nastygrams we generate.  We got a scan of port 80
> and of port 57 (Mail Transfer Protocol - RFC 780).  Anybody seen anything
> like this or have any idea why someone might want to scan these particular
> ports?
> 
> In this case, we can identify the IP's users as well as their ISP, but
> neither group may know that this is going on.
> 							- andy
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
> 
> ---------- Forwarded message ----------
> 
> On 17-sep-2002 at approximately 13:41 Eastern time (GMT-4) we
> detected a SYN scan of ports 57,80 on several hosts on our campus network from
> source ip 216.60.56.226.  This ip is registered to:
> 
> Southwestern Bell Internet Services SBIS-BLK-2 (NET-216-60-0-0-1)
>                                   216.60.0.0 - 216.63.255.255
> Border Network ISP-BORDERNET3 (NET-216-60-56-0-1)
>                                   216.60.56.0 - 216.60.57.255
> 
> # ARIN Whois database, last updated 2002-09-17 19:05
> # Enter ? for additional hints on searching ARIN's Whois database.
> 
> 
> It is possible that a system in your domain has been compromised or is
> otherwise being misused. We appreciate any action that you may take to
> prevent such activity in the future.  We would also appreciate any
> information that you may discover in the course of your investigations
> regarding any problems or vulnerabilities in our systems.
> 
> If you have any questions or require further information, please
> contact me using the information in the signature below.  This message
> may be forwarded to you by a member of my staff, so please address your
> response to andy at umbc.edu.
> 
>                                         Thank You,
> 					- Andy Johnston
> 
> **Please note that log reports mask our IP domain be default.  Our network
> is 130.85.0.0/16 and "MY.NET" below stands for "130.85" or "umbc.edu" as
> appropriate.
> 
> Log Excerpt:
> 
> Sep 17 13:41:00 216.60.56.226:3568 -> MY.NET.70.64:57 SYN ******S*
> Sep 17 13:40:59 216.60.56.226:3566 -> MY.NET.70.72:80 SYN ******S*
> Sep 17 13:41:01 216.60.56.226:3580 -> MY.NET.70.72:57 SYN ******S*
> Sep 17 13:40:59 216.60.56.226:3565 -> MY.NET.70.71:80 SYN ******S*
> Sep 17 13:41:01 216.60.56.226:3579 -> MY.NET.70.71:57 SYN ******S*
> Sep 17 13:40:59 216.60.56.226:3573 -> MY.NET.70.75:80 SYN ******S*
> Sep 17 13:41:00 216.60.56.226:3575 -> MY.NET.70.75:57 SYN ******S*
> Sep 17 13:41:00 216.60.56.226:3571 -> MY.NET.70.66:57 SYN ******S*
> Sep 17 13:41:00 216.60.56.226:3569 -> MY.NET.70.73:80 SYN ******S*
> Sep 17 13:41:01 216.60.56.226:3584 -> MY.NET.70.73:57 SYN ******S*
> Sep 17 13:41:01 216.60.56.226:3576 -> MY.NET.70.77:80 SYN ******S*
> 
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Manager of IT Security                 * PGP key:(afj2000) 1024/F67035E1 **
> ** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
> ** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
> ------------------------------------------------------------------------------
> 
> 



More information about the unisog mailing list