Key Pages: Home | WhoIs | TraceRoute | Timeline | Investigations | WikiSyntax | Recent Changes
Recently Viewed: SotM > ToolsUsed > Question1 > Question2 > Question3
Question3
Question N3
What types of reconnaissance activity you notice?
What do you think they were looking for?
What are some of the notorious sources of such activity in the files?


Scans Noticed
Proxy scan 220.170.88.7
Scan for FTP server 80.116.93.36 - and server requesting identd
DstPort25 - scan for open relay
DstPort2 - maybe hping ?
DstPort5 - 217.219.118.194 - 5 packets to port 5 from Iran
DstPort18 - a few packets (one to port 22 and some more to port 18) is observed on DailyFeb8 DailyFeb9 and DailyFeb17 from 3 hosts in the same network 81.196.129.x
DstPort6129 - W32.mockbot.a.worm (and Pre-Worm scans)
200.203.174.x - Scan for Web servers from Brazil



Notorious Sources Of Traffic
Microsoft
Netcraft
Google
Samspade

BESA: Daniele, why you've put Samspade as "Notorious Sources"?
I think that samspade doesn't generate traffic.
M@xc3r3: You can traceroute from samspade website.
Dani@NL: no in fact there is NO traffic from it - but as Max says it COULD generate it. There is no traffic just as there isn't for Google and there isn't for Netcraft. I just TRIED to see if it was there, instead... it could have been.



Other References
Trends - Question1
Malware Scans - Question2
Port Scans - Question4
Top Attacked Ports - Top7Ports
Anomalous traffic - Question6
Timeline

Login