[Snort-sigs] Scan on tcp 13000

Michael Scheidell scheidell at ...249...
Mon Feb 17 18:55:04 EST 2003


> 
> Has anyone else seen any tcp scans with both source and destination ports of
> 13000, SYN flag set, and a sequence ID of 674711609? My sensors are catching
> it as a Shaft synflood because of the sequence ID, but the traffic pattern
> is more like a sweep - single source, 1 packet each to 119 sequential
> destinations. No other traffic from this source, I can't find any info on
> tcp 13000. I'm ready to write it off as a very strange (and singularly
> unproductive) tcp ping sweep, but thought I should check with the
> community-at-large first....

Yep, coming out of columbia.edu.
Called them and sent logs earlier today
(symantec: take note.. we saw it first)

see:
http://www.mynetwatchman.com/LID.asp?IID=22029380
funny ting, on the security section of their web site them mention that
they had their web site defaced and users redurected towards a porn site
yesterday.
I called them up, thinking that they might have staff on duty.. noop,
nothing, all phone lines, help desk, security phones have ' thank you for
calling when we are all home', press 0 for operator, nothing.

What source ip addresses are you seeing?

-- 
Michael Scheidell, CEO
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/




More information about the Snort-sigs mailing list