[unisog] any one seeing an increase in 17300 SYN

Pete Hickey pete at shadows.uottawa.ca
Fri Feb 14 20:18:45 GMT 2003


On Wed, Feb 12, 2003 at 12:40:16PM -0800, Peter Van Epp wrote:
> 	Yep, us too. Started around 23:00 PST Feb 10 and has continued 
> (unsuccessfully) from a variety of sources til about 23:00 on the 11th but so 
> far not thereafter. From the 1st to the 10th, there were a couple of probes 
> (again unsuccessful) at specific machines but no apparant scanning.

Interesting.  I haen't seen any  week coming to our campus network,
however, our residencees, which are on a different IP block (very far
from the campus block) had a a few.  Feb 12 at 02:00EST for about
a half hour, then  yesterday, there were bursts between 17:00EDT
and 02:00EDT this morning....  Bursts would last a few minutes than
stop for 15-20 minutes.

Came from about 60 different source IP addresses.

Strange.

> On Wed, Feb 12, 2003 at 09:56:10AM -0600, Harris, Michael C. wrote:
> > I assume others of you are seeing a recent upswing in what we assume is Kuang2 (SYN 17300) in the last  48 hours? 
> > We are seeing a odd increase at midnight 00:00 cst on 02/11/03  and 01:13 cst on 02/12/03 only.  
> > Is there something in this virus controlling the timing? or is someone trolling for infected machines?  I've never looked at a live copy or the code itself for Kuang2.
> > 
> > notice the heavy upswing in sources beginning on the 5th...
> > http://isc.incidents.org/port_details.html?port=17300
> > 
> > anyone done much investigation other than writing it off as KUANG2?
> > 
> > Mike
> > 
> > 
> > --------------------------------------------------
> > Michael C Harris
> > System Security Analyst - GSEC
> > ITS / Research Education and Support
> > University of Missouri Health Center
> > Phone: 573-882-3392 
> > 
> > harrismc at health.missouri.edu
> > --------------------------------------------------
> > no Kuang2 is not a town in France...
> > 
> > 
> > 



More information about the unisog mailing list