Security Incidents mailing list archives

Re: Port 109 scanning

From: Fernando Cardoso <fernando () BN PT>
Date: Tue, 7 Nov 2000 10:30:24 -0000

Haven't seen those for a while. Those scans were popular in the beggining of
the year. Just checked my backlogs and found 3 SYN-FIN scans 109->109 back
in February, March and May. Two of them with origin in Japan and one from a
machine in the US. My class C was the target. Many isolated SYN scans to
port 109 occured since then. I'm not sure what they are looking, but I think
the older (=< 5.2?) RedHat distributions came with a POP2 daemon enable as
default.

Fernando


_________________________________________________________
Fernando Cardoso              Phone:   +351 21 7982186
Network Administrator         Fax:     +351 21 7982185
National Library              E-mail:  fernando () bn pt
Portugal                      PGP ID:  28551CB8

-----Original Message-----
From: A.L.Lambert [mailto:alambert () EPICREALM COM]
Sent: segunda-feira, 6 de Novembro de 2000 13:26
To: INCIDENTS () SECURITYFOCUS COM
Subject: Port 109 scanning


      I'm curious if anyone else has been getting port 109 SYN/FIN
scan's lately? (src 109 -> dst 109).  I've gotten them from
two separate
sources, several days apart (looks like a sequential scan of multiple
class A networks), and I thought it was a bit odd, since last time I
heard, POP2 was a virtually abandoned protocol (at least I've
never seen
it in use, and I've been mucking around on the net for a long
time now),
and in this day and age, a SYN/FIN scan is almost certain to set off
IDS's.

      Normally a targeted scan looking for something that
won't hurt my
network wouldn't do much more than wake me up enough to
e-mail the admin's
of the offending network, but this one has my curiosity
aroused, since on
the surface, it looks both noisy, and pointless (or are there
vulnerable
pop2 servers all over the net that I'm unaware of?).

      The source of the scan's were 204.31.162.252, and 209.84.237.75,
and the targets were in the 200.x.x.x and 213.x.x.x netblock's.

      Anyway, anyone with comments/thoughts, I'd be
interested.  Thanks
in advance.

      --A.L.Lambert

Current thread:

Port 109 scanning A.L.Lambert (Nov 07)
- Re: Port 109 scanning Jay D. Dyson (Nov 08)
- Re: Port 109 scanning Jander Sunstar (Nov 08)
- <Possible follow-ups>
- Re: Port 109 scanning azimuth (Nov 08)
- Re: Port 109 scanning Fernando Cardoso (Nov 08)
- Re: Port 109 scanning Andy Duncan (Nov 08)