Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: [Snort-sigs] Scan on tcp 13000

From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Tue, 18 Feb 2003 16:11:09 -0500
http://isc.incidents.org/port_details.html?port=13000

seems to have been hitting hard in the last 2 days, im pretty sure
incidents.org will have a blurb about this in a weeks time.


-----Original Message-----
From: Drew Stockman [mailto:Drew.Stockman () cibmis com] 
Sent: Tuesday, February 18, 2003 3:17 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I too am seeing this type of traffic.  I am seeing it coming 
from 128.83.166.35 and sweeping across one of my IP ranges.  
This IP resolves to the University of Texas at Austin.  Seems 
t be coming out of the universities, but does anyone know 
what it is yet?

Drew Stockman
Security Analyst
CIBMIS


- -----Original Message-----
From: Alex Polevoy [mailto:aspolevoy () shiloh com]
Sent: Tuesday, February 18, 2003 1:06 PM
To: Snort-users () lists sourceforge net; EveristB () naswi navy mil
Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000


My IDS registered same alerts at 21:53 2003-02-17.


"Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil> 02/18/03

01:11pm >>>
same here, 149 alerts, same host, same alert.  149 
destinations, first/
last: 2003-02-17 13:58:06  2003-02-17 13:58:07

- -----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu] 
Sent: Monday, February 17, 2003 10:57 PM
To: Michael Scheidell
Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl () mynetwatchman com 
Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000


Michael Scheidell wrote:


Has anyone else seen any tcp scans with both source and

destination
ports of

13000, SYN flag set, and a sequence ID of 674711609?


Yep, coming out of columbia.edu.


I had 1702 hits in one tarpit, let me see if they're still 
stuck... nope, but they should have been reported to DShield... yes!

source port = 13000, dest port = 13000

Source:  128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Jeff


- -------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPlKU1DK/qMtUmsxZEQL17gCgzWi/v93DL81LxclMD2x9VHnjkdsAmgLA
45t0K3Vy/JmyJGQs0t4nvgEA
=MT2n
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: