Firewall Wizards mailing list archives

Re: UDP 22 & 5632

From: spiff <spiff () bway net>
Date: Tue, 11 Apr 2000 00:06:12 -0400 (EDT)

port 22 is ssh
port 5632 is PCAnywhere 

if it's not a scan, most likely it is a misconfiguration.

if it is a scan in preparation for an attack, a likely scenario based on
that pattern is to break-in using pc-anyone and give myself a login and
then use ssh to have an encrypted session for further hi-jinx.

I'd blackhole them. then mail their admin. tell him to fix it asap.

On Wed, 5 Apr 2000, Aaron Turner wrote:


I'm seeing a reoccuring pattern where a system will sequentially scan a
network over and over and over (sometimes for hours) trying to connect to
UDP 22 & 5632.  The source port is pretty static, always near (but higher
than) 1024.

Anyone with an idea of what this is?  It seems to be running on a Windows
(most likely NT since the IP is in a co-lo) system.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

Current thread:

UDP 22 & 5632 Aaron Turner (Apr 10)
- Re: UDP 22 & 5632 Anthony DeBoer (Apr 11)
- Re: UDP 22 & 5632 Mike Barkett (Apr 11)
- Re: UDP 22 & 5632 John Hall (Apr 11)
- Re: UDP 22 & 5632 spiff (Apr 11)
- RE: UDP 22 & 5632 Dave Stone (Apr 11)
- <Possible follow-ups>
- Re: UDP 22 & 5632 kos (Apr 13)