|
Security Incidents
mailing list archives
Re: [unisog] Re: large scale distributed scan of port tcp 445
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 09 Aug 2002 12:50:49 +1200
On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote:
Which firewall logs these are? ,Because i'm unable to find the bits
set, whether it was a TCP Scan of halfopen SYN Scan?
Since mostly worms would TCP Scan from infected boxes, so if it's
a SYN Scan, then probably it's an intentional Scan.
just wondering..
The scans were detect by my own scan detector which is a perl script and
reads argus records. The code is distributed with argus
<www.qosient.com>.
The probes were all TCP SYNs. Only one per target which suggest a half
open scan (we block 445 at the firewall so nothing responded and I can't
be sure if it really was a half open scan).
I doubt very much if this is a worm, my guess is that it is some group
with a group of zombies who want many more...
BTW a few weeks ago I did see some very similar scans but just with
10-20 hosts. It may be the same group with more resources...
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
