Re: What sort of scan is this ?

Thu, 23 Sep 1999 07:16:51 -0700 

Actually, since the destination IP is different in each case,
I think that someone is searching for telnet services within
your network segment.

Tim Kramer


Mikael Olsson wrote:

> The destination port is 23. That's telnet.
> Someone's trying to telnet to you.
> The reason you're seeing several drops is that TCP
> retries its SYN packets a bunch of times if it fails
> to connect.
>
> I'd recommend brushing up on your TCP/IP basics a wee bit.
>
> Jim Smart wrote:
> >
> > Hi,
> >
> > I am wondering if anyone knows what is causing these in our logs ?
> >
> > Sep 23 03:56:18 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.2(23), 1 packet
> > Sep 23 03:56:19 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.50(23), 1 packet
> > Sep 23 03:56:20 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.102(23), 1 packet
> > Sep 23 03:56:21 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.152(23), 1 packet
> > Sep 23 03:56:22 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.201(23), 1 packet
> > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.253(23), 1 packet
> > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.254(23), 1 packet
> >
> > Observations:
> > - The source port is always the same, and is generally port 47850.
> > - The destination port is always port 23.
> > - It is too quick to be manually done.
> > - The size of the gaps in the address space is variable.
> > - The only continent they have not come from is Africa.
> >
> > I would like to know what is being used to do the job ? why they
> > are happening ? and what may follow ?
> >
> > Thank you in advance,
> >
> > Jim Smart
> > Brisbane, Australia
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
> WWW: http://www.enternet.se        E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to