|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jon R. Kibler (Jon.Kibler
aset04.aset.com)Date: Mon Nov 05 2001 - 17:37:04 CST
Earlier today we started noticing a rather strange "port scan" from two different spoofed IP addresses. Both claim to originate from port 80 and have a fixed destination based upon originating IP, as follows:
192.168.19.82 has destination port 11709
192.168.19.81 has destination port 13607
The "scans" repeat every 61 seconds. They have been running non-stop since sometime late yesterday. Here is an example from snoop of the traffic in question:
150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0
150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0
150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0
150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0
150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0
150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0
150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0
150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0
150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0
150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0
150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
Has anyone else seen something similar? Since this is clearly not a DOS attack, any idea what would be the purpose of such a scan?
Thanks for any and all help/comments.
Sincerely,
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]