Security Basics mailing list archives

Re: Slow scan on high-ports?

From: phani () myrealbox com
Date: Wed, 30 Oct 2002 13:54:58 +0530

On Tue, Oct 29, 2002 at 09:39:19AM +0100, Rolf Jürrens wrote:
hi,

Hi everyone,

in our firewall-logs I see a slow scan  over our whole network  from one IP address on tcp ports >65300. The scan 
lasts now about 24 hours with only 50 packets. What is the purpose of such a scan? Since all ports are normally 
closed in these ranges, no one can expect to gather information about a network - am I right? Or are there any 
interesting ports in this range? By the way: the IP address appears in the dshield.org database as an attacker 
address.

The slow port scan could be to avoid an IDS catch hold of the attacker's address.The reason for the scan for these 
ports could be, may be the attacker is looking for some kind of trojan. I donot know much about what kind of trojan 
would be listening on these ports. But that is a possibility
HTH
phani

Current thread:

Slow scan on high-ports? Rolf Jürrens (Oct 29)
- Re: Slow scan on high-ports? phani (Oct 30)
- <Possible follow-ups>
- Re: Slow scan on high-ports? khayes (Oct 29)
- RE: Slow scan on high-ports? Wolf, Glenn (Oct 29)