|
Security Incidents
mailing list archives
Re: Unusual volume: UDP:137 probes
From: John Sage <jsage () finchhaven com>
Date: Tue, 1 Oct 2002 12:46:53 -0700
Michael:
On Tue, Oct 01, 2002 at 09:37:18AM -0700, Scott, Michael R. wrote:
Correction/update to my earlier post:
It seems to be scanning random chunks of addresses, not /16's, see below for
a listing of targets probed over a 75 second period. Notice how it starts
off with incrementing the host of a /24 then jumps to a different /8 and
increments only the first octet. Yesterday night's NAV signatures detect it
as W32.Opaserv.Worm. A view of the properties of the file show a C time of
this past Sat night (9/28 19:32 PST), and an M time of 1/1/70.
What is the relationship between the IP this scanning host had, and
the IP blocks it started scanning, or the IP blocks it scanned at all?
Any?
181.5.73.183
181.5.73.184
181.5.73.185
181.5.73.186
181.5.73.187
181.5.73.188
181.5.73.189
<snippage>
- John
--
"It's a troll! Run!^H^H^H^H Laugh!"
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- maybe a simple problem, (continued)
RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes John Sage (Oct 01)
Re: Unusual volume: UDP:137 probes Maxime Ducharme (Oct 01)
RE: Unusual volume: UDP:137 probes Jeremy Junginger (Oct 02)
RE: Unusual volume: UDP:137 probes Sam Campbell (Oct 08)
| 
Intro
