Security Basics mailing list archives
Re: Slow scan on high-ports?
From: phani () myrealbox com
Date: Wed, 30 Oct 2002 13:54:58 +0530
On Tue, Oct 29, 2002 at 09:39:19AM +0100, Rolf Jürrens wrote: hi,
Hi everyone, in our firewall-logs I see a slow scan over our whole network from one IP address on tcp ports >65300. The scan lasts now about 24 hours with only 50 packets. What is the purpose of such a scan? Since all ports are normally closed in these ranges, no one can expect to gather information about a network - am I right? Or are there any interesting ports in this range? By the way: the IP address appears in the dshield.org database as an attacker address.
The slow port scan could be to avoid an IDS catch hold of the attacker's address.The reason for the scan for these ports could be, may be the attacker is looking for some kind of trojan. I donot know much about what kind of trojan would be listening on these ports. But that is a possibility HTH phani
Current thread:
- Slow scan on high-ports? Rolf Jürrens (Oct 29)
- Re: Slow scan on high-ports? phani (Oct 30)
- <Possible follow-ups>
- Re: Slow scan on high-ports? khayes (Oct 29)
- RE: Slow scan on high-ports? Wolf, Glenn (Oct 29)