Security Incidents mailing list archives
Port 109 scanning
From: "A.L.Lambert" <alambert () EPICREALM COM>
Date: Mon, 6 Nov 2000 07:25:47 -0600
I'm curious if anyone else has been getting port 109 SYN/FIN scan's lately? (src 109 -> dst 109). I've gotten them from two separate sources, several days apart (looks like a sequential scan of multiple class A networks), and I thought it was a bit odd, since last time I heard, POP2 was a virtually abandoned protocol (at least I've never seen it in use, and I've been mucking around on the net for a long time now), and in this day and age, a SYN/FIN scan is almost certain to set off IDS's. Normally a targeted scan looking for something that won't hurt my network wouldn't do much more than wake me up enough to e-mail the admin's of the offending network, but this one has my curiosity aroused, since on the surface, it looks both noisy, and pointless (or are there vulnerable pop2 servers all over the net that I'm unaware of?). The source of the scan's were 204.31.162.252, and 209.84.237.75, and the targets were in the 200.x.x.x and 213.x.x.x netblock's. Anyway, anyone with comments/thoughts, I'd be interested. Thanks in advance. --A.L.Lambert
Current thread:
- Port 109 scanning A.L.Lambert (Nov 07)
- Re: Port 109 scanning Jay D. Dyson (Nov 08)
- Re: Port 109 scanning Jander Sunstar (Nov 08)
- <Possible follow-ups>
- Re: Port 109 scanning azimuth (Nov 08)
- Re: Port 109 scanning Fernando Cardoso (Nov 08)
- Re: Port 109 scanning Andy Duncan (Nov 08)