Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Odd scans of tcp port 12345

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 16 May 2000 11:42:05 +1200

Greetings,
          Over the last 24 hours I have detected 4 scans of tcp ports
12345 in our /16 address space.  What is odd about these scans is that
*all* started at address 11 and then the scan probed sequentially
upwards until it got to 255 (except in one case where it stopped at
100).  There is 5 seconds between connection attempts suggesting a loop
trying standard tcp connects rather than a tool like nmap.

The source addresses were all major ISPs one in UK, one in Korea and
two in US -- all have been notified.

There are several trojans that are known to have 12345 as a default
remote control port but these scans don't seem (to me anyway) to be
someone using nmap (or other standard tool) looking trojans.  It seems
more likely that this is a worm that is trying to spread through
machines that have been compromised by some trojan.  Why start at
address 11? May be it is a typo for '1' in the script?

Cheers, Russell.
Previous By Date Next
Previous By Thread Next

Current thread: