Re: scan on TCP/21536

[Jean-Francois Zwobada <zwobada () FLUXUS NET>]

Hello all,

we've seen that quite a lot these days. it seems to be related to some
malfunctionning network device. I'm in touch with a network admin working
for a french ISP and they were looking at some devices (Proxies & other
Network Access servers).

If you concatenate the source and dest ports and convert to ASCII you'll
obtain a "GET " or other things with SSL connections. As if the TCP headers
was overwritten with the data by some caching device or anything like this.

Cheers

JF

At 11:36 23/12/00 -0800, Rude Yak wrote:
>   Someone posted about scans from TCP 18245 to TCP 21536 recently, and
> received
> replies that the scan was an unidentified tool, with the source mostly coming
> from Poland.  I've been seeing a rash of these scans lately, except they are
> accompanied simultaneously with scans for Firewall-1 services (TCP 256, 259)
> and coming from a US-based ISP.  Thought I'd add a bit of fuel to the fire...
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/

Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.70.95.10.10 - Fax : +33.1.70.95.10.00
37, rue du Colonel Pierre Avia - 75015 PARIS