Snort mailing list archives
Web servers scanning clients!!!
From: Farzin <farzing () yahoo com>
Date: Thu, 26 Dec 2002 16:15:31 -0800 (PST)
Hi All, Looking at my snort logs, I see that when a user access some sites such as http://www.nationalenquirer.com (38.144.52.102), the server turns around and scan about 21 ports on the client. Does anyone know why this is? below is the log: [**] [117:1:1] (spp_portscan2) Portscan detected from 38.144.52.102: 1 targets 21 ports in 2 seconds [**] 12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189 TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x4613D2D4 Ack: 0xF07A44E3 Win: 0x2798 TcpLen: 44 TCP Options (9) => NOP NOP TS: 1229213631 743607218 NOP WS: 0 TCP Options => NOP NOP SackOK MSS: 1460 [**] [117:1:1] (spp_portscan2) Portscan detected from 38.144.52.102: 1 targets 21 ports in 2 seconds [**] 12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227 TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x49DDC83A Ack: 0xF12A7099 Win: 0x2798 TcpLen: 44 TCP Options (9) => NOP NOP TS: 1229216268 743609855 NOP WS: 0 TCP Options => NOP NOP SackOK MSS: 1460 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213 Thanks in advance, __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)