[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Distributed scan to ports 12345 and 27374
From:       Serge Droz <serge.droz () psi ! ch>
Date:       2002-06-03 15:11:38
[Download RAW message or body]

Since the beginning of the month we see SYN scans for port
 12345 and 27374 arriving at our class B net.

Typically each scanner scans three subsequent class C subnets
(i.e. a.b.100.*, a.b.101.* ,a.b.102.*). 
Some seem to scan six.
Typically, a scan sends around 900-1000 packets.

All the systems seem to windows systems (meaning port 129 is open).
The scans last for couple of minutes and started last week.
No new scans occurred since 2:30 pm CEST.

Taking all these scans together our entire address range is 
covered.

I've started a tcpdump session, hoping to catch the data
Any ideas?
Anyone else seeing this?

Cheers
Serge


-- 
Serge Droz
Paul Scherrer Institut                mailto:serge.droz@psi.ch
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
                                         Fax: ++41 56 310 3649

[prev in list] [next in list] [prev in thread] [next in thread]