Re: Automated, Distributed Port Scan

[montes () LAC INPE BR (Antonio Montes)]

It would've been nice if you had included the address of the hosts being
used to scan your network. Some administrators might thank you ;-) for
helping them find out that a machine under their responsability is
compromised or being improperly used.
Cheers,

Antonio
------------------------------------------------------------------------
-----------
Dr. Antonio Montes
Network and Systems Security Group
Nat. Inst. for Space Research
12.227-010 - S.J.Campos, SP - Brazil
Tel. (12)345-6538   Fax (12)345-6375

> We seem to have been the victims of what appears to be an automated
> distributed port scan. Over the weekend we were scanned for Netbus by
> 30 (or so) different machines. We have comfirmed that there was two-way
> tcp traffic to at least one host on our network, so we do not believe
> that the source was spoofed.
>
> Each scan scanned a different set of machines on our network. From a
> quick look, there appears to have been little to no overlap (that is,
> machinea was not scanned from any two different sources).
>
> Looking at the times and the source of the scans, most of the scans
> lasted almost exactly 20 minutes -- this makes me think that it is
> likely automated. Sometimes there were pauses between the scans,
> sometimes there wasn't.
>
> The scans came from a variety of sites, but generally standard targets
> -- ISPs, Brazil, Korea, Austria, etc.
>
> -Larry
>
> ---
> E. Larry Lidz                                        Phone: (773)702-2208
> Network Security Officer                             Fax:   (773)702-0559
> Network Security Center, The University of Chicago
> PGP: finger ellidz () uchicago edu or network-security () uchicago edu