Security Incidents mailing list archives
Re: slow scans for tcp port 524 and 137
From: Jens Hektor <hektor () RZ RWTH-AACHEN DE>
Date: Wed, 25 Oct 2000 22:23:53 -0000
Hi Russel, have seen similar probing (only port 524, 137 is not monitored).
Over the last week or so I have picked up three machines probing for udp 137 and tcp 524. Probes appear to be to random address in our address space (some are in use, many not) and occur at random time intervals, mean around an hour but with some long intervals suggesting that the machine was powered off. All machines are in 130.0.0.0/8 as are we.
Funny enough: have seen dome probes from 134.0.0.0/8 as we are, but not only. Some logs: Cisco #1 Oct 23 20:29:55.984 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 134.7.147.30(1099) -> 134.130.x.157(524), 2 packets Oct 23 20:24:12.269 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 134.7.147.30(1099) -> 134.130.x.157(524), 1 packet cisco#2 Oct 23 14:27:54.296 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 134.7.147.30(3612) -> 134.130.y.235(524), 2 packets Oct 23 14:22:37.932 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 134.7.147.30(3612) -> 134.130.y.235(524), 1 packet cisco#3 Oct 11 14:08:11.928 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 216.227.50.157(2919) -> 134.130.z.178(524), 2 packets Oct 11 14:02:47.799 MEZS: %SEC-6-IPACCESSLOGP: list 100 denied tcp 216.227.50.157(2919) -> 134.130.z.178(524), 1 packet Different system: Oct 23 11:29:35 - Oct 23 11:29:44: 134.7.147.39 (no DNS entry) 3 tries to 137.226.76.28 - 137.226.x.28 (1), Proto: TCP, Ports: 524 Oct 19 23:53:59 - Oct 19 23:54:08: 158.222.125.222 (no DNS entry) 3 tries to 137.226.76.204 - 137.226.x.204 (1), Proto: TCP, Ports: 524 Bye, Jens
Current thread:
- slow scans for tcp port 524 and 137 Russell Fulton (Oct 26)
- <Possible follow-ups>
- Re: slow scans for tcp port 524 and 137 Jens Hektor (Oct 27)
- slow scans for tcp port 524 and 137 Russell Fulton (Oct 27)