Security Incidents mailing list archives
Re: scan on TCP/21536
From: Grzegorz Janoszka <grzesjan () ONET PL>
Date: Tue, 26 Dec 2000 21:44:07 +0100
On Sat, 23 Dec 2000, Rude Yak wrote:
Someone posted about scans from TCP 18245 to TCP 21536 recently, and received replies that the scan was an unidentified tool, with the source mostly coming from Poland. I've been seeing a rash of these scans lately, except they are accompanied simultaneously with scans for Firewall-1 services (TCP 256, 259) and coming from a US-based ISP. Thought I'd add a bit of fuel to the fire...
We've posted some information about 18245/21536 recently, but you probably missed it. TCP packets comming from 18245 to 21536 are not scans, but corrupted packets. They are TCP packets WITHOUT TCP header, there is IP header and TCP data immediatly after it. String "GET " in TCP data placed in the place of TCP header means connection from port 18245 to 21536. Polish Telecom (tpnet.pl) has corrupted access-server which produce such packets. -- Grzegorz Janoszka, Onet.PL S.A. NA
Current thread:
- Re: scan on TCP/21536 Rude Yak (Dec 23)
- Re: scan on TCP/21536 Grzegorz Janoszka (Dec 26)
- Re: scan on TCP/21536 Jean-Francois Zwobada (Dec 26)