Security Incidents mailing list archives

Slow scan on port 109 (pop2/kpop)

From: kaos () OCS COM AU (Keith Owens)
Date: Fri, 25 Feb 2000 08:30:14 +1100


At least two sites have tried a slow scan against port 109, with both
SYN+FIN flags set.  I have not seen this attack before, especially with
such a wide interval between packets.  Timestamps are GMT, accurate to
NTP stratum 3.

2000/02/23-21:47:00.450334 195.39.7.5.0 > 203.34.97.1.109: SF 923729920:923729920(0) win 512
2000/02/23-22:08:41.005190 195.39.7.5.0 > 203.34.97.2.109: SF 923729920:923729920(0) win 512
2000/02/23-22:52:02.133746 195.39.7.5.0 > 203.34.97.4.109: SF 923729920:923729920(0) win 512
2000/02/23-23:13:42.871866 195.39.7.5.0 > 203.34.97.5.109: SF 923729920:923729920(0) win 512
2000/02/23-23:57:05.011307 195.39.7.5.0 > 203.34.97.7.109: SF 923729920:923729920(0) win 512
2000/02/24-00:18:44.351877 195.39.7.5.0 > 203.34.97.8.109: SF 923729920:923729920(0) win 512
2000/02/24-01:02:05.439480 195.39.7.5.0 > 203.34.97.10.109: SF 923729920:923729920(0) win 512
2000/02/24-01:45:26.590275 195.39.7.5.0 > 203.34.97.12.109: SF 923729920:923729920(0) win 512
2000/02/24-02:07:07.106551 195.39.7.5.0 > 203.34.97.13.109: SF 923729920:923729920(0) win 512
2000/02/24-02:50:28.342829 195.39.7.5.0 > 203.34.97.15.109: SF 923729920:923729920(0) win 512
2000/02/24-03:12:08.743478 195.39.7.5.0 > 203.34.97.16.109: SF 923729920:923729920(0) win 512

2000/02/24-15:14:06.148799 195.110.140.8.0 > 203.34.97.1.109: SF 4151836672:4151836672(0) win 512
2000/02/24-15:35:47.711317 195.110.140.8.0 > 203.34.97.2.109: SF 4151836672:4151836672(0) win 512
2000/02/24-15:57:29.273478 195.110.140.8.0 > 203.34.97.3.109: SF 4151836672:4151836672(0) win 512
2000/02/24-16:40:52.665931 195.110.140.8.0 > 203.34.97.5.109: SF 4151836672:4151836672(0) win 512
2000/02/24-17:02:34.280652 195.110.140.8.0 > 203.34.97.6.109: SF 4151836672:4151836672(0) win 512
2000/02/24-17:45:58.152176 195.110.140.8.0 > 203.34.97.8.109: SF 4151836672:4151836672(0) win 512
2000/02/24-18:07:39.439434 195.110.140.8.0 > 203.34.97.9.109: SF 4151836672:4151836672(0) win 512
2000/02/24-18:29:21.473246 195.110.140.8.0 > 203.34.97.10.109: SF 4151836672:4151836672(0) win 512

Current thread:

rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
  - Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
  - Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
  - Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
  - Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)