Re: Slow scan on high-ports?

[khayes () eastbay com]

      Often the folks in the Warez scene will hack into a machine and
install a hidden FTP server set to run on these higher port numbers.  The
idea being that they are safe because so few applications/services actually
use these ports the network/systems admins won't think to look there.

Ken Hayes
Network Administrator
Eastbay / Footlocker.com
Wausau, WI Offices
(715) 261-9573
khayes () eastbay com



                                                                                                                        
    
                                                                                                                        
    
                                                                                                                        
    
                                                                                                                        
    
                                       To:     security-basics () securityfocus com                                     
       
                                       cc:                                                                              
    
              Rolf Jürrens             Subject:  Slow scan on high-ports?                                               
    
              <security@rolf-juerrens.                                                                                  
    
              de>                                                                                                       
    
              Sent by:                                                                                                  
    
              <rjuerrens () web de>                                                                                     
       
                                                                                                                        
    
                                                                                                                        
    
              10/29/2002 12:39 AM                                                                                       
    
                                                                                                                        
    
                                                                                                                        
    




Hi everyone,

in our firewall-logs I see a slow scan  over our whole network  from one IP
address on tcp ports >65300. The scan lasts now about 24 hours with only 50
packets. What is the purpose of such a scan? Since all ports are normally
closed in these ranges, no one can expect to gather information about a
network - am I right? Or are there any interesting ports in this range? By
the way: the IP address appears in the dshield.org database as an attacker
address.

Greetings

Rolf


______________________________________________________________________________

Die drei G des Glücks: Gemeinsam garantiert gewinnen!
Jetzt mittippen! https://spielgemeinschaften.web.de/?mc=021101




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -
The information in this e-mail, and any attachment therein, is confidential
and for use by the addressee only.  If you are not the intended recipient,
please return the e-mail to the sender and delete it from your computer.
Although the Company attempts to sweep e-mail and attachments for viruses,
it does not guarantee that either are virus-free and accepts no liability
for any damage sustained as a result of viruses.