Re: Four port scans in a day

[John Stewart]

Actually, they are trying to find MS Exchange servers with Outlook Web
Access (http - port 80) which requires MS IIS to be installed on the
same machine as the Exchange server.

Dave Horsfall wrote:
> 
> I hope I'm not on someone's hit-list...
> 
> I'm also starting to see a growing number of probes to port 80 on the
> mail server; now, there's no WWW server there (it's hosted elsewhere;
> all you have to do is look it up) so my guess is these kiddies are
> looking for such servers on MX hosts...
> 
> -- Dave
> 
> ---------- Forwarded message ----------
> Date: Thu, 8 Feb 2001 03:10:45 +1100 (EST)
> From: System Administrator
> To: dave
> Subject: Cisco munchkins
> 
> [211.248.72.2] resolves to "[211.248.72.2]"
> 
> Feb  7 09:43:35  denied tcp 211.248.72.2(53) -> X.X.X.8(53), 1 packet
> Feb  7 09:43:35  denied tcp 211.248.72.2(53) -> X.X.X.3(53), 1 packet
> Feb  7 09:43:35  denied tcp 211.248.72.2(53) -> X.X.X.5(53), 1 packet
> [...]
> Feb  7 09:43:39  denied tcp 211.248.72.2(53) -> X.X.X.252(53), 1 packet
> Feb  7 09:43:39  denied tcp 211.248.72.2(53) -> X.X.X.253(53), 1 packet
> Feb  7 09:43:40  denied tcp 211.248.72.2(53) -> X.X.X.254(53), 1 packet
> 
> [216.251.5.110] resolves to "[216.251.5.110]"
> 
> Feb  7 10:33:32  denied tcp 216.251.5.110(4636) -> X.X.X.1(111), 1 packet
> Feb  7 10:33:34  denied tcp 216.251.5.110(4667) -> X.X.X.1(515), 1 packet
> Feb  7 10:33:36  denied tcp 216.251.5.110(4698) -> X.X.X.2(111), 1 packet
> Feb  7 10:33:38  denied tcp 216.251.5.110(4730) -> X.X.X.2(515), 1 packet
> [...]
> Feb  7 10:50:18  denied tcp 216.251.5.110(2423) -> X.X.X.253(111), 1 packet
> Feb  7 10:50:20  denied tcp 216.251.5.110(2462) -> X.X.X.253(515), 1 packet
> Feb  7 10:50:22  denied tcp 216.251.5.110(2503) -> X.X.X.254(111), 1 packet
> Feb  7 10:50:24  denied tcp 216.251.5.110(2538) -> X.X.X.254(515), 1 packet
> 
> [210.143.177.3] resolves to "a143177003.shikoku.ne.jp"
> 
> Feb  7 11:15:38  denied tcp 210.143.177.3(4535) -> X.X.X.1(111), 1 packet
> Feb  7 11:15:38  denied tcp 210.143.177.3(4548) -> X.X.X.11(111), 1 packet
> Feb  7 11:15:38  denied tcp 210.143.177.3(4540) -> X.X.X.6(111), 1 packet
> [...]
> Feb  7 11:15:39  denied tcp 210.143.177.3(4791) -> X.X.X.245(111), 1 packet
> Feb  7 11:15:39  denied tcp 210.143.177.3(4795) -> X.X.X.249(111), 1 packet
> Feb  7 11:15:39  denied tcp 210.143.177.3(4798) -> X.X.X.252(111), 1 packet
> 
> [212.93.140.51] resolves to "fisc.rdscj.ro"
> 
> Feb  7 15:17:48  denied tcp 212.93.140.51(63090) -> X.X.X.2(111), 1 packet
> Feb  7 15:17:48  denied tcp 212.93.140.51(63094) -> X.X.X.6(111), 1 packet
> Feb  7 15:17:48  denied tcp 212.93.140.51(63096) -> X.X.X.8(111), 1 packet
> [...]
> Feb  7 15:17:49  denied tcp 212.93.140.51(63310) -> X.X.X.222(111), 1 packet
> Feb  7 15:17:49  denied tcp 212.93.140.51(63334) -> X.X.X.246(111), 1 packet
> Feb  7 15:17:49  denied tcp 212.93.140.51(63342) -> X.X.X.254(111), 1 packet
> 
> -----------------------------------------------------------------------------
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-- 
----
John Stewart
Pager: (877) 572-4322 (PIN: 3033244)
NAVSEA San Diego
Information Systems Security Mgr
--------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]