Re: Huge SYN Scan

[Jim Forster <jforster () rapidnet com>]

It just started up last night, around 4pm MST from 10 different IP
addresses.  I firewalled them out and bound Snort to the outside
interface just to watch.
After the block, 7 of them quit probing us immediately.
1 probed 74 more times then quit.
1 probed 2300 times (exactly) then quit
1 is still probing, and did 34,000+ SYNs overnight.

Just seemed odd that it all started up at once, and that once
blocked, 7 of them quit.  The other strange thing is that SYN
scanning is all they were doing.  Even when they were allowed into
the network, none of them attempted any of the 'usual' IIS exploits
these worms do.

---==On Wed, 19 Dec 2001 16:46:20 +0100, Roberto Suarez Soto
wrote==---
> On Dec/18, Jim Forster wrote:
>
> > Anyone else seeing massive SYN scans to port 80 from all over the
> > 'net?
>
>    Effect of CodeRed/Nimda infected computers, I would say. There
are a
> lot of them, though the "prime time" of the virus has passed :-)


--
Jim Forster, jforster () rapidnet com on 12/19/2001



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users