Security Incidents mailing list archives
Re: port scan from 53
From: "Maarten Van Horenbeeck" <maarten () daemon be>
Date: Wed, 16 May 2001 19:57:08 +0200
JK,
Does anyone have any idea what would cause a scan to originate from port
53
on an IRIX based server and destined for users on incrementing ports starting in the 1000 range and continuing, in cases, to 4000 range.
the attacker might be expecting that your ACL / packetfilter accepts/passes all packets originating from 53 UDP (DNS-lookups). This is often the case on insecure packet-filter installations.
2000/09/14,09:21:48 -5:00 GMT, Server.IP.Address:53,Client.IP.Address:1038,UDP
With kind regards, Maarten Van Horenbeeck OS2 & Unix System Administrator http://www.daemon.be maarten () daemon be
Current thread:
- port scan from 53 JKruser (May 16)
- Re: port scan from 53 Maarten Van Horenbeeck (May 16)
- RE: port scan from 53 Mike Batchelor (May 17)
- Re: port scan from 53 Maarten Van Horenbeeck (May 16)