'Port scans of 4815, 9407, and 8081'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Port scans of 4815, 9407, and 8081
From:       "Gary Morris" <gmorris () govolution ! com>
Date:       2002-11-30 22:24:46
[Download RAW message or body]

I am seeing an interesting scan of a /24 address space for ports 4815, 9407, and 8081.  I cannot seem to figure out how the attacker is choosing what ports to look for on which hosts.  8081 I believe is a default netscape proxy port.  The attack was from Saudi Arabia.  Destination address has been obfuscated.  Below is a cut piece of the logs.  Any theories?

Thanks,

Gary Morris

....

Nov 28 18:17:33 213.238.31.83:2161 -> 11.22.33.22:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2166 -> 11.22.33.24:9407 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2167 -> 11.22.33.24:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2173 -> 11.22.33.26:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2170 -> 11.22.33.25:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2179 -> 11.22.33.28:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2181 -> 11.22.33.29:9407 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2182 -> 11.22.33.29:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2185 -> 11.22.33.30:4815 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2187 -> 11.22.33.31:9407 SYN ******S*
Nov 28 18:17:33 213.238.31.83:2188 -> 11.22.33.31:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2290 -> 11.22.33.64:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2294 -> 11.22.33.65:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2298 -> 11.22.33.66:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2302 -> 11.22.33.67:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2306 -> 11.22.33.68:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2308 -> 11.22.33.69:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2310 -> 11.22.33.69:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2318 -> 11.22.33.71:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2314 -> 11.22.33.70:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2319 -> 11.22.33.72:9407 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2320 -> 11.22.33.72:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2322 -> 11.22.33.72:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2326 -> 11.22.33.73:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2330 -> 11.22.33.74:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2328 -> 11.22.33.74:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2334 -> 11.22.33.75:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2335 -> 11.22.33.76:9407 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2336 -> 11.22.33.76:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2338 -> 11.22.33.76:8081 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2340 -> 11.22.33.77:4815 SYN ******S*
Nov 28 18:17:38 213.238.31.83:2342 -> 11.22.33.77:8081 SYN ******S*
...


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic