Security Incidents mailing list archives

Re: 6112/TCP scans

From: dewt <dewt () kc rr com>
Date: Fri, 7 Dec 2001 17:57:42 -0600

On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:

Is anyone else seeing large numbers of 6112/TCP scan coming from
63.240.0.0 - 63.242.255.255?  I'm seeing about 10/minute destined to
random IPs within my networks.  The scanning technique looks exactly
like the TCPMUX scans that were occuring a few months ago (forgive me,
I can't remember what the technique was, just that it was really odd).

Obviously, they're looking for vulnerable CDE installations.

Paul

6112 is the port used by blizzard's battlenet, you might just have people 
playing diablo 2,starcraft, or whatever on your network

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

6112/TCP scans Paul Dokas (Dec 07)
- Re: 6112/TCP scans dewt (Dec 07)
  - Re: 6112/TCP scans Paul Dokas (Dec 11)
    - Re: 6112/TCP scans Neil Long (Dec 11)
    - Re: 6112/TCP scans Paul Dokas (Dec 11)