Security Incidents mailing list archives
Re: Not pulling the plug
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Fri, 18 Feb 2000 15:04:57 -0800
Port 5 is used by some OS fingerprinting attacks. Unfortunately, I've lost the information from my notes as to exactly which scripts use port 5; I'm guessing sscan maybe. Also, MidnightCommander has been known to put a service on that port. Robert Graham -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of thomas lakofski Sent: Thursday, February 17, 2000 5:31 PM To: INCIDENTS () securityfocus com Subject: Re: Not pulling the plug I saw this too Feb 16 17:32:04 oi ippl: port 5 connection attempt from ns.rbscc.com [12.3.24.2] portsentry blocked the host very quickly... works for me. as to port 5... ??? -tl On Wed, 16 Feb 2000, Stephen Friedl wrote:
From: Stephen Friedl <friedl () MTNDEW COM> To: INCIDENTS () SECURITYFOCUS COM Date: Wed, 16 Feb 2000 07:19:12 -0800 Subject: Not pulling the plug Hello all, For *two days*, an ADMROCKS-compromised machine in New Jersey has been
doing
a scan for TCP port 5 (what's this?), and the owner of the box refused to pull the plug while he fools with it. What's the best way to handle this?
...... who's watching your watchmen? EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
Current thread:
- Not pulling the plug Stephen Friedl (Feb 16)
- Re: Not pulling the plug thomas lakofski (Feb 17)
- Re: Not pulling the plug Robert Graham (Feb 18)
- Re: Not pulling the plug Niles Mills (Feb 18)
- <Possible follow-ups>
- Re: Not pulling the plug Ruth Milner (Feb 18)
- A few strange scans... Murray, Mike (Feb 20)
- Re: Not pulling the plug Miller, Toby (Feb 22)
- Re: Not pulling the plug David Brumley (Feb 23)
- Re: Not pulling the plug thomas lakofski (Feb 17)