TCP low port scan

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

Hi all,

It's been awfully quiet lately in our corner of the world, but I did catch
a low TCP port scan from this morning coming from an MCI WorldCom
customer:

        Name:    chi-qbu-nvn-vty5.as.wcom.net
        Address:  216.192.169.5

The syslog entries that triggered my interest are:

May 15 00:53:39 server kernel: TCP connection accepted: ip=216.192.169.5
port=7 uid=0 process=xinetd[27356]
May 15 00:53:40 server kernel: TCP connection accepted: ip=216.192.169.5
port=9 uid=0 process=xinetd[27356]
May 15 00:53:40 server kernel: TCP connection rejected from 216.192.169.5,
port 8
May 15 00:53:40 server kernel: TCP connection rejected from 216.192.169.5,
port 10
May 15 00:53:40 server kernel: TCP connection accepted: ip=216.192.169.5
port=13 uid=0 process=xinetd[27356]

A nice, nearly sequential scan of the low TCP ports, probably
fingerprinting OS's on the basis of open ports and responses. I can't
think of much else useful in this range. Oddly, I was unable to find any
traces of the host on other services (ie SMTP) or other systems on the
subnet.

Interesting, haven't seen this sort of thing in a while, I usually see
full blown port scans.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc