Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-users > 03 > 020221.html (Request Expert snort.org Support)

RE: [Dshield] [Snort-users] Port 17300 scans [snort-users-admin@l ists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List]

From: Chan, Stephen (Singapore) <stephen_chan(at)sg.ml.com>
Date: Tue Feb 18 2003 - 21:48:52 EST


Most like spoofed source addresses, otherwise they could be compromised hosts being controlled by a master someplace...

Rgds,

Stephen

-----Original Message-----
From: Mark Scott [mailto:mscott@mtgroup.com] Sent: Wednesday, February 19, 2003 6:46 AM To: list@dshield.org; snort-users@lists.sourceforge.net Subject: [Dshield] [Snort-users] Port 17300 scans
[snort-users-admin@lists.sourceforge.net in Pass-Through List] ['snort' in
Pass-Through List] ['snort-users' in Pass-Through List]

For those tracking the 17300 scans, here are some more data on the 17300 scans. I had several nodes that were quickly scanned and the snort data all looked the same. Below are the snort alerts from one of my nodes. 

Also of interest...... they originated from 3 different IPs (211.199.119.223

[Korea], 61.182.210.111 [China] and 61.182.210.22 [China]) to the very same
nodes on my network. Any significance to the fact that the 3 src IP's are hitting the same nodes on the network simultaneously?

Regards,

Mark
Mark Scott
Memphis Technology Associates
http://mtgroup.com

[**] Port 17300 Scan [**]

02/18/03-16:22:29.625943 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3E
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19234 IpLen:20 DgmLen:48 DF
******S* Seq: 0x429C8DF Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1422 NOP NOP SackOK

Do you need help?X

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:29.867155 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19746 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:29.868560 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20002 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:29.869628 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20258 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:32.800830 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:24354 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

Do you need more help?X

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:38.804678 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:39714 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:22:50.802199 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:60194 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:23:14.853085 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:55075 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]

02/18/03-16:24:02.882797 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:56101 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20

Can we help you?X

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

list mailing list
list@dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Wed Feb 19 09:14:57 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:52 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library