Re: What sort of scan is this ?

Thu, 23 Sep 1999 11:39:20 -0700 

El dia Thu, Sep 23, 1999 at 12:56:23PM +1000, Jim Smart escribi�:

        maybe nmap with the decoy option

   -Ddecoy_host1,decoy2,ME,decoy3[,...] Launch scans from decoy host(s) along
      with the real one.  If you care about the order your real IP appears,
      stick "ME" somewhere in the list.  Even if the target detects the
      scan, they are unlikely to know which IP is scanning them and which
      are decoys.


> Hi,
> 
> I am wondering if anyone knows what is causing these in our logs ?
> 
> Sep 23 03:56:18 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.2(23), 1 packet
> Sep 23 03:56:19 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.50(23), 1 packet
> Sep 23 03:56:20 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.102(23), 1 packet
> Sep 23 03:56:21 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.152(23), 1 packet
> Sep 23 03:56:22 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.201(23), 1 packet
> Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.253(23), 1 packet
> Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.254(23), 1 packet
> 
> Observations:
> - The source port is always the same, and is generally port 47850.
> - The destination port is always port 23.
> - It is too quick to be manually done.
> - The size of the gaps in the address space is variable.
> - The only continent they have not come from is Africa.
> 
> I would like to know what is being used to do the job ? why they 
> are happening ? and what may follow ?
> 
> Thank you in advance,
> 
> Jim Smart
> Brisbane, Australia
> 
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-- 
Saludos.

===========================================================

   Alfonso Lazaro Tellez        [EMAIL PROTECTED]  
   Analista de seguridad        
   IP6Seguridad                 http://www.ip6seguridad.com     
   Tfno: +34 91-3430245         C\Alberto Alcocer 5, 1 D        
   Fax:  +34 91-3430294         Madrid ( SPAIN )
===========================================================                     
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to