welcome to my world. the ports I see most often are 80 (moreso in recent months), 21, 136-9, 515, 79, 53. And those are just off the top of my head. High numbered ports are a different story. That could be a script kiddie trolling or targeted services like X.
Usually, when it's a distributed scan, I see it from different ISP's. Typically I get some from broadband pools, asia (korea and china specifically) a few from the east coast (mass) and sometimes the occaisional probe from europe. I really don't mind because I drop all those packets on the floor. It makes me feel like a james bond supervillain, with the whole globe trying to stop my nafarious plot. tack On Fri, 12 Oct 2001, John Hunter wrote: > > I am busy sifting through my iptables logs and have what looks like a > distributed port scan. A bunch of TCP packets sent to high numbered > ports (>1024) from 5 or 6 different IPs. Each IP is in the same > subnet 205.188.162.* and each originated from the same src port 1028. > My first guess is that this is a scanner designed to thwart automated > detection schemes. > > I am new to the game of log browsing so I don't know if there could be > an innocent explanation for this but it looks suspicious. > > Is there any way to get the ISP information for a given subnet, so I > can file a complaint if I want? > > JDH > -- ------------------------------------------ 1st Amendment: Void where prohibited http://freesklyarov.org http://www.anti-dmca.org
