On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote:
> Which firewall logs these are? ,Because i'm unable to find the bits
> set, whether it was a TCP Scan of halfopen SYN Scan?
> Since mostly worms would TCP Scan from infected boxes, so if it's
> a SYN Scan, then probably it's an intentional Scan.
> just wondering..
The scans were detect by my own scan detector which is a perl script and
reads argus records. The code is distributed with argus
<www.qosient.com>.
The probes were all TCP SYNs. Only one per target which suggest a half
open scan (we block 445 at the firewall so nothing responded and I can't
be sure if it really was a half open scan).
I doubt very much if this is a worm, my guess is that it is some group
with a group of zombies who want many more...
BTW a few weeks ago I did see some very similar scans but just with
10-20 hosts. It may be the same group with more resources...
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Aug 09 2002
Intro
