Re: Canned scan?

[Joe Matusiewicz <joem () nist gov>]

At 11:45 AM 5/18/01, gattaca () hushmail com wrote:
> Hello all,
>
> I have a curiousity question. In the last 24 hours I have seen scans for
> the following ports. They have been from multiple addresses at different
> times. The scans have been the same ports and sequence each time which leads
> me to suspect a canned scan tool.  Is this something new? Thanks in advance.
>
> cheers,
> gattaca
>
> <snip>
> Fri May 18 10:36:30 EDT 2001 (snip filter file command) reports
> 211.218.149.27 DENIED HOST
> (tcp ports)
> 31337 11753 12754 2400 33567 5300 1008 1524 29369 9112 6723 6635 8282 9705
> 10008 15104 3879 22252 60008
> </snip>

I first noticed these scans two weeks ago.  Now I get about 20 a day going 
to random addresses on my network.  Each port is hit in 4 second 
increments.  There coming from all over the world.  Using netcraft.com, all 
the source addresses are running Linux.  I assume this is some new yet to 
be determined Linux worm.   The only mention I can find of it is at:

http://www.incidents.org/react/diary.php


-- Joe