Security Incidents mailing list archives
Re: Interesting group of scans
From: Akatosh <akatosh () rains net>
Date: Tue, 3 Jul 2001 16:22:42 -0400 (EDT)
This appears to be a normal web browsing session. Note that the source port is 80 and labled [World Wide Web HTTP]. The destination ports are somewhat sequential, and in the typical range of client ports that many OS's use for making outbound connections. Also note that the source IP is the ip of www.terraserver.com. Unless I'm missing something, what you are seeing is the inbound traffic generated by loading www.terraserver.com in a web browser. On Sat, 30 Jun 2001, William Knowles wrote:
Below is the cliff-notes of about 46 alerts to the personal firewall on my laptop, the is the first time in awhile I've seen someone try to shoot trinoo to my machine. I thought I should share this information with the rest of the list, and see if anyone else is noticing this pattern. Cheers! William Knowles wk () c4i org Sat Jun 30 07:50:38 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1458 [Nichols Research Corp.] Sat Jun 30 07:53:34 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1470 [Universal Analytics] Sat Jun 30 07:58:36 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1460 [Proshare Notebook Application] Sat Jun 30 07:58:37 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1478 [ms-sna-base] Sat Jun 30 08:00:26 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1516 [Virtual Places Audio data] Sat Jun 30 08:00:32 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1497 [rfx-lm] Sat Jun 30 08:00:39 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1510 [Midland Valley Exploration Ltd. Lic. Man.] Sat Jun 30 08:01:02 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1500 [VLSI License Manager] Sat Jun 30 08:02:45 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1524 [ingres] Trinoo Sat Jun 30 08:02:45 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1524 [ingres] Trinoo Sat Jun 30 08:05:09 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1524 [ingres] Trinoo Sat Jun 30 08:05:10 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1524 [ingres] Trinoo Sat Jun 30 08:06:45 AM tcp 64.244.210.34 -> 166.90.214.151 80 [World Wide Web HTTP] -> 1516 [Virtual Places Audio data] *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Edward Fahner Systems Administrator, Planet Communications Network (540)442-6677 x222 [aka. Akatosh .CU.Au, akatosh () rains net] DC2.DwGmL--WT--SksCre+\Cvi+BflA(+r-v+++)N^MH+$-Fj~R+Ac+++!J+S+U-I--#V+++Q+Tc++ GCSds:-a---C++++UL++++P---L++++E-W++N+o?K-w---O-M--V-PS+PE?YPGPt+5++XR*!tvb++(+++)DI++D++Geh+r++y+ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Interesting group of scans Akatosh (Jul 05)