[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] UDP Scans
- Subject: RE: [cobalt-security] UDP Scans
- From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
- Date: Fri, 6 Jul 2001 14:34:40 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
This is a small snip of the log. Does this help with the analysis?
The ***.**.** are the same address as my box. All the scans are UDP port 137
or 138.
Jul 6 14:35:28 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:28 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:32 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:33 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:33 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:33 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.144/***.**.**.144 to UDP port: 137
Jul 6 14:35:33 ns1 portsentry[9824]: attackalert: Host:
***.**.**.144/***.**.**.144 is already blocked Ignoring
Jul 6 14:35:36 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.28/***.**.**.28 to UDP port: 137
Jul 6 14:35:36 ns1 portsentry[9824]: attackalert: Host:
***.**.**.28/***.**.**.28 is already blocked Ignoring
Jul 6 14:35:51 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.60/***.**.**.60 to UDP port: 138
Jul 6 14:35:51 ns1 portsentry[9824]: attackalert: Host:
***.**.**.60/***.**.**.60 is already blocked Ignoring
Jul 6 14:36:03 ns1 portsentry[9824]: attackalert: UDP scan from host:
***.**.**.93/***.**.**.93 to UDP port: 137
Simon
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of shimi
Sent: 06 July 2001 12:25
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] UDP Scans
On Fri, 6 Jul 2001, Simon Wilson wrote:
> Hi
> I know I asked this the other day but I've still no answer here or from
any
> other source.
> When I switch on Portsentry it reports 100s of scans on UDP from what I
> assume are all the other boxes on the farm my box is on. ie:
>
> 222.222.222.30
> 222.222.222.45
> 222.222.222.199
> 222.222.222.169
> 222.222.222.178
> 222.222.222.100
>
> In other words they have the same IP address as me except the last number.
> The go on scanning, and portsentry goes on banning them all. On and on and
> on until the log files are enormous.
> What is going on? is this normal or have I set it up wrong?
> The TCP part of portsentry seems to work OK picking up scans on 111 from
> Korea etc. but the UDP one just goes nuts...100's of repeated attempts all
> from similar address.
>
> Any ideas?
>
> Thanks
> Simon
>
To and from what ports? (source and destination)
- shimi.
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security