[Snort-users] 17203 portscan alerts in 23 hours from same IP

Jon Quiros sysadmin at ...6132...
Wed Jul 10 14:07:02 EDT 2002


Thanks for the reply.  It started up again at 2:30 and continues, now scanning lower ports (i've got about 19,000 events now). 
The user of this computer has been away from her desk since about 11am this morning so I'm really doubting it's her end that's triggering it.  No adware, no open web browser.

here's another snippet of the portscan log:
==
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1532 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1533 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1538 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1539 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1540 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F 
===
 
Jon Quirós
Network/Systems Administrator
National Center for Education in Maternal and Child Health
Georgetown University
2000 15th St N, Suite 701
Arlington, Va 22201
Ph:  (703)524-7802
Fax: (703)524-9335


On Wednesday, July 10, 2002 4:37 PM, Matt Kettler <mkettler at ...4108...> wrote:
>Perhaps the citibank webpage has a gif-image which reloads at regular 
>intervals? In that case all she'd need to do is leave the browser open, and 
>those kinds of reloading images are pretty common.
>
>It strikes me as highly absurd to consider reset/fin packets coming from 
>port 80 on a valid webserver to be a portscan of any sort. Sure webservers 
>get knocked over and used to attack others sometimes, but very rarely do 
>those scans originate from port 80 (since they'd have to shut the webserver 
>down) and rarely do they consist of ARF ("close connection and stop talking 
>to me, don't even acknowledge the close") type packets at regular intervals 
>to normal client ports. ARF isn't exactly a very useful combination of 
>flags for portscanning AFAIK.
>
>
>I think the appropriate question to ask here is "why was my user's machine 
>trying to contact citibank's website so frequently" rather than "why was 
>citibank scanning me", and I think the answer is that someone had a couple 
>of pages with self-refreshing images open and left the browser
>running.
>
>
>At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
>>someone that replied off-list wrote this:
>>
>>"Looks to me like your source and dest IPs are showing up backwards. It is 
>>not a scan, but merely the random source port 1024 incrementing with each 
>>connection. Your end user must be doing a lot of on-line banking with 
>>Citibank I would say."
>>
>>This would make perfect sense to me, except i can't envision her staying 
>>over night doing online banking stuff, or any program running in the 
>>bkgrnd following the same pattern over and over again
>>
>>Jon Q
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Two, two, TWO treats in one.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list