-
December 5th, 2007, 03:17 PM
#1
Snort reported UDP scans
Anyone seen this type of activity?:
On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs. All the external addresses examined were foreign (mostly Brazil and Argentina, but also included Columbia, Germany, Indonesia, China, et. al.). It appears to have scanned the same IP list twice, with a couple of the IPs only appearing once in each scan (possibly due to dropped traffic on the sensor). Scans took place at 17:56 and again at 18:10. It's unclear if there were any returns on the scans. I could find no other appearances of the inside or outside IPs setting off any other alerts in the data that I have. Most of the IP addresses I looked at appeared to be customer addys from ISPs.
On 12/3, the system's admin was contacted, who claimed to run a full-virus scan and found nothing.
On 12/4, the same system performed the same type of scan against 11 more systems. Again, all were foreign (Mostly Brazil, a couple German, and Venezuela) -- but not a single one was a duplicate from the first scan, nor were they even within the same networks.
Because of the kludgy portscan reporting of Snort, I cannot accurately tell which ports are being targeted. The sensor's been up/down over the last month (I was out of town) so there could have been more events...
Ideas? (My favorite answer so far is a worm...but none detected by Symantec -- assuming the admin *did* do a scan... ;0)
Similar Threads
-
By Egaladeist in forum Security News
Replies: 6
Last Post: October 23rd, 2005, 01:56 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By qod in forum The Security Tutorials Forum
Replies: 3
Last Post: January 25th, 2004, 11:47 PM
-
By thehorse13 in forum The Security Tutorials Forum
Replies: 15
Last Post: January 6th, 2004, 10:07 PM
-
By vescovono in forum IDS & Scanner Discussions
Replies: 1
Last Post: April 17th, 2003, 10:50 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|