Security Incidents mailing list archives
Re: Canned scan?
From: Joe Matusiewicz <joem () nist gov>
Date: Mon, 21 May 2001 09:07:29 -0400
At 11:45 AM 5/18/01, gattaca () hushmail com wrote:
Hello all, I have a curiousity question. In the last 24 hours I have seen scans for the following ports. They have been from multiple addresses at different times. The scans have been the same ports and sequence each time which leads me to suspect a canned scan tool. Is this something new? Thanks in advance. cheers, gattaca <snip> Fri May 18 10:36:30 EDT 2001 (snip filter file command) reports 211.218.149.27 DENIED HOST (tcp ports) 31337 11753 12754 2400 33567 5300 1008 1524 29369 9112 6723 6635 8282 9705 10008 15104 3879 22252 60008 </snip>
I first noticed these scans two weeks ago. Now I get about 20 a day going to random addresses on my network. Each port is hit in 4 second increments. There coming from all over the world. Using netcraft.com, all the source addresses are running Linux. I assume this is some new yet to be determined Linux worm. The only mention I can find of it is at:
http://www.incidents.org/react/diary.php-- Joe
Current thread:
- Canned scan? gattaca (May 18)
- Re: Canned scan? Joe Matusiewicz (May 22)