Security Incidents mailing list archives
Re: scan log
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Fri, 16 Jun 2000 10:08:34 +1200
On Thu, 15 Jun 2000 02:01:21 -0400 Valdis.Kletnieks () vt edu wrote:
On Tue, 13 Jun 2000 10:03:00 +1200, Russell Fulton <r.fulton () AUCKLAND AC NZ> said:On Sun, 11 Jun 2000 22:30:31 -0500 Max Gribov <mgribov () KPLAB COM> wrote:this are logs of a port scan i have recently received on one of my machines. i searched for those ports in all known port databases to me, but couldnt find anything. why would someone scan that specific range (observe the precise inrementation) of ports on a linux machine? Jun 11 22:20:21 mordor scanlogd: From 209.3.31.70:20 to 151.202.106.23 ports 2632, 2633, 2634, 2635, 2636, 2637, 2638, 2639, 2640, ..., flags ??r??u, TOS 00, TTL 60, started at 22:20:13Are you sure this is a scan? My scan detection software see patternsAmen brother. ;) I'm not convinced that an FTP 'MGET *' isn't to blame here.
Yep, I am sure you are right -- given the source port of 20 (which I did not spot, duh!) -- i'm not used to reading logs in that format. My point is that there are also other means of getting such patters and my scan detection software ignores scans (well it logs them but does not ring any bells) where the source port is low numbered well known service and all the destination ports are above 1024. Cheers, Russell.
Current thread:
- Re: scan log Russell Fulton (Jun 12)
- Re: scan log Valdis Kletnieks (Jun 14)
- <Possible follow-ups>
- Re: scan log Paul Rogers (Jun 13)
- Re: scan log Ex Machina (Jun 14)
- Re: scan log Russell Fulton (Jun 15)