Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Strange scans - inquisitive question

Strange scans - inquisitive question

From: Paul Rogers <paul.rogers_at_MIS-CDS.COM>
Date: Fri, 9 Jun 2000 10:46:21 +0100

Hi,

Last night we received some strange scans with a source port of 21 (ftp) and
a destination port of 7 (echo). The destination address was always the
network address. I was just wondering if anyone else had seen these scans or
whether anyone knew what they were looking for. The scans were performed
over TCP (protocol 6) and UDP (protocol 17).

I have a theory that the 64.79.80.26 (pm001-026.dialup.bignet.net) may be
the dialup account of the scanner and the rest of the hosts are compromised
systems being used by himself / herself, and the scan from the bignet.net
system was an accident.

If anyone can shed any light, it would be greatly appreciated because I'm
now very interested to discover what they were trying to achieve. Snippets
of the logs are below:

24.165.238.133 (RRCentralFlorida-165.238.133.cfl.rr.com) - duration of 32
minutes

Jun 8 04:32:32 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17
24.165.238.133:21 xxx.xxx.8.0:7 L=93 S=0x00 I=10061 F=0x4000 T=243 (#67)
Jun 8 04:32:32 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6
24.165.238.133:21 xxx.xxx.8.0:7 L=105 S=0x00 I=10063 F=0x4000 T=243 SYN
(#67)

193.226.98.26 (dnt-gw.dnttm.ro) - duration of 5 minutes (note - source port
is random)

Jun 8 15:16:43 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17
193.226.98.26:58001 xxx.xxx.8.0:7 L=1027 S=0x00 I=5275 F=0x0000 T=239 (#67)

64.79.80.26 (pm001-026.dialup.bignet.net) - duration of 4 minutes

Jun 8 20:05:38 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6
64.79.80.26:21 xxx.xxx.8.0:7 L=105 S=0x00 I=26126 F=0x4000 T=243 SYN (#68)
Jun 8 20:05:38 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17
64.79.80.26:21 xxx.xxx.8.0:7 L=93 S=0x00 I=26127 F=0x4000 T=243 (#68)

140.174.186.2 (televolve-T1-gw.san-francisco.best.net) - duration of 4 hours
30 minutes

Jun 9 00:00:50 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17
140.174.186.2:21 xxx.xxx.8.0:7 L=93 S=0x00 I=46897 F=0x4000 T=243 (#68)
Jun 9 00:00:50 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6
140.174.186.2:21 xxx.xxx.8.0:7 L=105 S=0x00 I=46896 F=0x4000 T=243 SYN (#68)

Many thanks,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel: +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax: +44 (0)1622 728580
Website: http://www.mis-cds.com/

**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited.

The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************
Received on Jun 10 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos