Re: SNMP Scans

[Golden_Eternity <bhodi () BIGFOOT COM>]

These aren't the same IP address, but they're all from 211.* and seem to
have the same registrant according to apnic.net.

Mar 14 10:57:17 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 211.36.12.89/211.36.12.89 to TCP port: 111
Mar 14 11:45:19 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 211.114.224.191/211.114.224.191 to TCP port: 111
Mar 14 17:51:47 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 211.250.178.129/211.250.178.129 to TCP port: 111
Mar 14 17:59:01 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 210.174.167.20/210.174.167.20 to TCP port: 111
Mar 14 19:24:40 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 211.237.45.190/211.237.45.190 to TCP port: 111
Mar 14 23:51:51 roto-router portsentry[5398]: attackalert: SYN/Normal scan
from host: 211.250.119.2/211.250.119.2 to TCP port: 111

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Chris Schuler
> Sent: Tuesday, March 13, 2001 8:05 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: SNMP Scans
>
>
> anyone else seeing port 111/rpc scans from this ip?
> 211.185.160.193
> Ive seen at least two walks of my ip address space by this host.
>
>
> Mar 13 09:45:08 211.185.160.193:4671 -> xxx.xxx.xxx.xxx:111
> SYN ******S*
> Mar 13 09:45:08 211.185.160.193:4670 -> xxx.xxx.xxx.xxx:111
> SYN ******S*
> Mar 13 09:45:08 211.185.160.193:4672 -> xxx.xxx.xxx.xxx:111
> SYN ******S*
> ...