Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Sean Brown <srbrown () APPGEO COM>
Date: Thu, 28 Dec 2000 19:59:21 -0500
I've been seeing similar traffic on my site. Source ports are always 6667. Source host is dalnet.away.net. Destination hosts appear random throughout my net. Destination ports also appear to be random and never the same port twice. These are single TCP RST packets arriving at random intervals. I began seeing the traffic last week. I can supply a packet capture if anyone is interested. Conor McGrath wrote:
We've been seeing lots of scans of ip's in our address space with the destination ports of 1024 and 3072. They are always paired like that, although they don't hit the same ip on both ports, as far as I can tell. The source ports are most often typical irc server ports (6667 and 6668) but sometimes they sourced from ports 80 and 7325. It's not IRC traffic, as IRC servers aren't supposed to be sending packets to 6400 different ip's in one class B range without having 6400 different clients connect first. Also, often it is only one packet being sent. Now, a number of the suspect machines are Dalnet servers, but there is also a Microsoft web server and a few other random hosts that are not, as far as I can tell, running any kind of irc service. If someone really would like them I could provide sanitized netflow logs, but it's a lot of data so I won't post any of it without someone asking. As I look back at the flow summaries from months ago (we don't keep the actual logs themselves around for very long) I can see that this started very subtly on the 30th or 31st of July. Since the 24th of December the intensity has picked up quite a bit. In the last five days we have been scanned by more than a dozen different hosts. Since July I would guestimate that number to be at least three times that many. So, any ideas? -- Conor McGrath Phone: (773)702-7611 Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
-- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown () appgeo com System Administrator Applied Geographics, Inc. Boston, MA
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)