Security Incidents mailing list archives
Re: 1953 & 1808
From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Thu, 3 Feb 2000 23:12:03 -0500
We have received thousands. Interesting thing is that the source port is 6666 or 6667 which is often used by IRC. It looks like someone is trying to spoff an IRC return packet to drop a nasty payload. godel () TECHNOLOGIST COM on 2000/02/03 08:59:04 Please respond to godel () TECHNOLOGIST COM To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: 1953 & 1808 I have been receiving very slow, widely spaced attempts to ports 1808 and 1953 on two different networks for the past week, both NT but not in the same netblock or even class. The scans - 4 or 5 a day, separated by 5-6 hours, were initially from an IP calling itself 'office.portal.ru', which indicated it was located in the corporate headquarters of a large, active commercial ISP in Russia. Last night the same attempts apparently from a university, also in Russia. 1808/tcp is listed as Oracle-VP2 but 1953 is unassigned. Has anyone received anything like this also, and any idea what they are hoping for? Thanks for response! Missy
Current thread:
- 1953 & 1808 godel () TECHNOLOGIST COM (Feb 03)
- Re: 1953 & 1808 Eric S. Johnson (Feb 03)
- <Possible follow-ups>
- Re: 1953 & 1808 Bill Royds (Feb 03)