Security Incidents mailing list archives

Re: scans on ports 3072 and 1024, why?

From: Ulrich Eckhardt <Ulrich.Eckhardt () TRANSCOM DE>
Date: Fri, 29 Dec 2000 09:10:17 +0100

Conor McGrath wrote:


We've been seeing lots of scans of ip's in our address space with the
destination ports of 1024 and 3072.  They are always paired like that,
although they don't hit the same ip on both ports, as far as I can tell.
The source ports are most often typical irc server ports (6667 and 6668)
but sometimes they sourced from ports 80 and 7325.

It's not IRC traffic, as IRC servers aren't supposed to be sending packets
to 6400 different ip's in one class B range without having 6400 different
clients connect first.  Also, often it is only one packet being sent.

Now, a number of the suspect machines are Dalnet servers, but there is also
a Microsoft web server and a few other random hosts that are not, as far
as I can tell, running any kind of irc service.


Hi,

i can see here the same. Mostly this scanns seems to come from
IRC servers. The dalnet servers also scanns other ports like 3072 and
1024
and always only with the RST flag (193.103.163. is our network and most
of
this hosts does not exists.):

06:27:22 TCP  dalnet.away.net  -> 193.103.163.11    6667
2075          RST
02:13:47 TCP  dalnet.away.net  -> 193.103.163.92    6667
20391         RST

The same scan but with a different source port
00:02:26 TCP  irc.east.gblx.net  -> 193.103.163.114  40300
17122       RST
01:12:48 TCP  ircd.west.gblx.net -> 193.103.163.24   40003
21849       RST
23:39:32 TCP  irc.east.gblx.net  -> 193.103.163.18   23500
16520       RST

And here one wich seems to match your findings, but note also the TCP
flags.
10:48:07 TCP irc2.erols.com -> 193.103.163.6  6667       1024
SYN ACK
10:48:07 TCP irc2.erols.com -> 193.103.163.6  6667       1024
ACK RST
10:49:16 TCP irc2.erols.com -> 193.103.163.90 6667       1024
SYN ACK
10:49:16 TCP irc2.erols.com -> 193.103.163.90 6667       1024
ACK RST
10:59:03 TCP irc2.erols.com -> 193.103.163.81 6667       3072
SYN ACK
10:59:03 TCP irc2.erols.com -> 193.103.163.81 6667       3072
ACK RST

Uli
--
Ulrich Eckhardt                         Tr@nscom
http://www.uli-eckhardt.de              http://www.transcom.de
                                        Lagerstraße 11-15 A8
                                        64807 Dieburg Germany

Current thread:

scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
  - Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
  - Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
    - Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
    - Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
    - Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 30)