newbie port scan detector ?
i found this in my port scan file. The only thing I am a little confused is both my ip and the other one start with 24.26 is this probably someone on the same isp maybe? these are 2 of over one hundred entries I have gotten since last night. And why does the first entry have other_ip -> my_ip and the 2nd have my_ip -> other_ip is the second one saying that I rejected the attack maybe. And could someone please explain the 3rd one then. thanks
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
09/04-10:06:42.615353 24.26.49.244:4822 -> 24.26.*.*:80
TCP TTL:113 TOS:0x0 ID:3225 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xC63A9CF1 Ack: 0x3E31D3B2 Win: 0x4470 TcpLen: 20
[**] [1:1201:2] WEB-MISC 403 Forbidden [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/04-10:06:42.615703 24.26.*.*:80 -> 24.26.49.244:4822
TCP TTL:64 TOS:0x0 ID:55486 IpLen:20 DgmLen:511 DF
***AP*** Seq: 0x3E31D3B2 Ack: 0xC63A9D51 Win: 0x16D0 TcpLen: 20
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
09/04-22:19:56.182027 24.26.*.*:36225 -> 208.247.106.177:80
TCP TTL:64 TOS:0x0 ID:32434 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE615589 Ack: 0xF6CBFE70 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 8072204 7005709
[
Last edited by jstu; 09-04-2002 at 10:19 PM.
|