Security Incidents mailing list archives
Re: Several probes from
From: spaceork <spaceork () dhp com>
Date: Tue, 22 May 2001 12:50:47 -0400 (EDT)
On Sun, 20 May 2001, Fabio Bastiglia Oliva wrote:
Anyone here got something like this?
check these details:
########################
Snort
#(3 - 7573) [2001-05-20 14:54:41] SCAN synscan portscan
IPv4: 63.170.232.2 -> 200.xxx.xxx.xxx
hlen=5 TOS=32 dlen=40 ID=39426 flags=0 offset=0 TTL=26 chksum=15737
TCP: port=21 -> dport: 21 flags=******SF seq=1511872466
ack=1763444313 off=5 res=0 win=1028 urp=0 chksum=49433
Payload: none
Grepping through my logs, I came across this entry from 5/19:
13:48:37.371260 shikoshin.com.ftp > my.host.ftp: SF
23013211:23013211(0) win 1028 (ttl 13, id 39426)
The scanning host was a linux 2.2 box. The signatures are almost
identical, perhaps we are seeing the same tool in both instances here?
-spaceork
"All the time they were creating
What has destroyed them,
And they fall with the burden
They built."
--------------------------------
spaceork () dhp com
http://www.dhp.com/~spaceork
Current thread:
- Detected Linux LPRng autorooter Arthur Donkers (May 21)
- Several probes from Fabio Bastiglia Oliva (May 22)
- Re: Several probes from spaceork (May 22)
- Several probes from Fabio Bastiglia Oliva (May 22)