Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: large scale distributed scan of port tcp 445

Re: large scale distributed scan of port tcp 445

From: Muhammad Faisal Rauf Danka <mfrd_at_attitudex.com>
Date: Thu, 8 Aug 2002 16:53:41 -0700 (PDT)

Which firewall logs these are? ,Because i'm unable to find the bits
set, whether it was a TCP Scan of halfopen SYN Scan?
Since mostly worms would TCP Scan from infected boxes, so if it's
a SYN Scan, then probably it's an intentional Scan.
just wondering..

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

--- Russell Fulton <r.fulton_at_auckland.ac.nz> wrote:
>Greeting All,
> Again my apologies to those of you who receive two copies of this
>note I am posting it to both unsog and incidents since a fair number of
>educational sites are involved. This posting may also be related to an
>ongoing discussion on the unsog list of compromised W2K boxes.
>
>At around 0545 on the 8th Aug (UTC) we got hit by a distributed scan
>from 100 machines scattered around the world. Most of the addresses are
>owned by large IPS and domain names indicate that they are cable or xdsl
>customers. A significant minority of the addresses belonged to
>educational institions (one Taiwanese institution was very well
>represented :( ). I have notified all the edu sites that I can identify
>and will work through the ISPs later today.
>
>For the record it took them 6 minutes to scan our entire /16 address
>space.
>
>here is a cut and paste from my index of scans, the time at the start is
>just to 1 hour resolution.
>
>2002.08.08.17.00 ip160.usw15.rb1.bel.nwlink.com[207.202.205.160] - Network_scan[tcp-445] - new
>2002.08.08.17.00 208-59-162-183.hybrid.hlb-ubr.nj.cable.rcn.com[208.59.162.183] - Network_scan[tcp-445] - new
>2002.08.08.17.00 [207.210.183.134] - Network_scan[tcp-445] - new
>2002.08.08.17.00 d888301.MING.ab.nthu.edu.tw[140.114.213.18] - Network_scan[tcp-445] - new
<<SNIP>>

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Aug 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos