OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tom Fischer (Tom.FischerRUS.UNI-STUTTGART.DE)
Date: Wed Jan 24 2001 - 04:29:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    On Tue, Jan 23, 2001 at 11:53:11PM +0100, Ralf G. R. Bergs wrote:
    > there's currently a distributed scan going on across our whole class C network
    > (contained in the class B network 131.188.0.0/16.)
    >
    > The scanning machines send TCP packets with a source port of 23. The source IP
    > addresses I've seen so far are
    >
    > 134.53.215.184 (ip134-053-215-184.s215.muohio.edu)
    > 216.22.151.67 (fortress.omnicon.net)
    > 209.220.244.18 (w018.z209220244.chi-il.dsl.cnc.net)
    > 209.240.174.2 (apollo.netwest.com)
    >
    > Anyone else seen similar things going on?

    we are observing these scans with a source port of 23 and various
    attacked ports as well. The scans started at Jan 23 04:00 (UTC+0100
    (MET)) and end at Jan 24 06:00 (UTC+0100 (MET)) from:

    216.22.151.67
    134.53.215.184
    204.32.32.250
    209.220.244.18

    The responsible contact persons were informed.

    209.240.174.2 does a scan with various source and attacked ports. 

    --
Tom Fischer                              Tom.Fischerrus.uni-stuttgart.de
RUS-CERT Universitaet Stuttgart        Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/
PGP: http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0x62B1DB01