Hi Marcel, This has probably already been said, but this message is quite off topic for this list.
It looks as some standard SYN portscan and then followed by some connections to the HTTP port of the webserver, possibly to scan for exploits, etcetera? This could have been automated but guessing from the last port 80 scans/exploit runs and their timings, I would guess it was someone actually trying to get in "by hand". Of course, I am in no way an expert so don't take my words for it=). Have a nice day, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] ----- Original Message ----- From: "Marcel Hauser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 05, 2002 10:11 PM Subject: TCP ******S* portscan > Hi everybody > > I'am using Snort for IDS. Sorry if this question is offtopic, but i think here > i'll reach the right guys for this question. > > Can someone please tell me how this could happen: > (y.y.y.y is the internal IP Address of my webServer and i'am allowing only > port 80 and 25 to that server from outside) > > Apr 5 15:50:56 195.186.255.2:3595 -> y.y.y.y:45428 SYN ******S* > Apr 5 15:50:57 195.186.255.2:3596 -> y.y.y.y:45429 SYN ******S* > Apr 5 15:50:58 195.186.255.2:3597 -> y.y.y.y:45430 SYN ******S* > Apr 5 15:50:59 195.186.255.2:3598 -> y.y.y.y:45431 SYN ******S* > Apr 5 15:50:59 195.186.255.2:3599 -> y.y.y.y:45432 SYN ******S* > Apr 5 15:51:00 195.186.255.2:3600 -> y.y.y.y:45433 SYN ******S* > Apr 5 15:51:01 195.186.255.2:3601 -> y.y.y.y:45434 SYN ******S* > Apr 5 15:51:01 195.186.255.2:3602 -> y.y.y.y:45435 SYN ******S* > Apr 5 15:51:41 195.186.255.2:3614 -> y.y.y.y:45440 SYN ******S* > Apr 5 15:51:42 195.186.255.2:3615 -> y.y.y.y:45441 SYN ******S* > Apr 5 15:51:43 195.186.255.2:3616 -> y.y.y.y:45442 SYN ******S* > Apr 5 15:51:44 195.186.255.2:3617 -> y.y.y.y:45443 SYN ******S* > Apr 5 15:51:44 195.186.255.2:3618 -> y.y.y.y:45444 SYN ******S* > Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S* > Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S* > Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S* > Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S* > Apr 5 15:52:08 195.186.255.2:3631 -> y.y.y.y:80 SYN ******S* > Apr 5 15:52:40 195.186.255.2:3635 -> y.y.y.y:80 SYN ******S* > Apr 5 15:53:00 195.186.255.2:3638 -> y.y.y.y:80 SYN ******S* > Apr 5 15:53:00 195.186.255.2:3641 -> y.y.y.y:80 SYN ******S* > > Thanks in andvance > > Cheers Marcel > > > >
