Re: scan log

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Thu, 15 Jun 2000 02:01:21 -0400 Valdis.Kletnieks () vt edu wrote:

> On Tue, 13 Jun 2000 10:03:00 +1200, Russell Fulton <r.fulton () AUCKLAND AC NZ>  said:
> > On Sun, 11 Jun 2000 22:30:31 -0500 Max Gribov <mgribov () KPLAB COM> wrote:
> > > this are logs of a port scan i have recently received on one of my
> > > machines. i searched for those ports in all known port databases to me,
> > > but couldnt find anything. why would someone scan that specific range
> > > (observe the precise inrementation) of ports on a linux machine?
> > >
> > > Jun 11 22:20:21 mordor scanlogd: From 209.3.31.70:20 to 151.202.106.23
> > > ports 2632, 2633, 2634, 2635, 2636, 2637, 2638, 2639, 2640, ..., flags
> > > ??r??u, TOS 00, TTL 60, started at 22:20:13
> >
> > Are you sure this is a scan?  My scan detection software see patterns
>
> Amen brother. ;)
>
> I'm not convinced that an FTP 'MGET *' isn't to blame here.

Yep, I am sure you are right -- given the source port of 20 (which I
did not spot, duh!) -- i'm not used to reading logs in that format.

My point is that there are also other means of getting such patters and
my scan detection software ignores scans (well it logs them but does
not ring any bells) where the source port is low numbered well known
service and all the destination ports are above 1024.

Cheers, Russell.