Security Incidents mailing list archives
Odd scans of tcp port 12345
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 16 May 2000 11:42:05 +1200
Greetings, Over the last 24 hours I have detected 4 scans of tcp ports 12345 in our /16 address space. What is odd about these scans is that *all* started at address 11 and then the scan probed sequentially upwards until it got to 255 (except in one case where it stopped at 100). There is 5 seconds between connection attempts suggesting a loop trying standard tcp connects rather than a tool like nmap. The source addresses were all major ISPs one in UK, one in Korea and two in US -- all have been notified. There are several trojans that are known to have 12345 as a default remote control port but these scans don't seem (to me anyway) to be someone using nmap (or other standard tool) looking trojans. It seems more likely that this is a worm that is trying to spread through machines that have been compromised by some trojan. Why start at address 11? May be it is a typo for '1' in the script? Cheers, Russell.
Current thread:
- Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- New or Variant Port 109 Scans Stephen P. Berry (May 15)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: IP Black list? Patrick van Zweden (May 15)
- TCP low port scan Jose Nazario (May 15)
- Re: IP Black list? Joe McAlerney (May 15)
- Re: IP Black list? Omachonu Ogali (May 15)
- Re: IP Black list? Emre (May 15)
- Re: IP Black list? Ex Machina (May 15)
- Re: IP Black list? Keith Owens (May 16)
- <Possible follow-ups>
- Re: Automated, Distributed Port Scan Ed Padin (May 09)