RE: port 6635 and port 9705

[dschultz () mail3 bunt com]

I saw a very similar scan from this IP to one of our Class C's on 13 Nov as 
well. 9705->9705 scan began at 18:18 GMT, followed by a 6635->6635 at 20:25 GMT.
In both instances, approximately 70 hits were detected.

Dale
> -----Original Message-----
> From: Jim Howard [mailto:Jim.Howard () abcv com]
> Sent: Wednesday, November 14, 2001 6:29 PM
> To: incidents () securityfocus com
> Subject: port 6635 and port 9705
>
>
> Somebody had asked where these scans were coming from.  Just yesterday, I
> got scanned on both these ports at the same time from this IP: 216.187.84.11
> ..  I have notified the parties that needed notification, but I just wanted
> to mention that: 
>
> 1) our entire network was scanned for both from the same host, one right
> after the other with 9705 first, then 6635.  The scans to 9705 were
> primarily from port 9705, where the 6635 scan was from an incrementing port
> #. 
>
> 2) this is the first I have seen scans on these ports for some time.  It
> sounds from what people are saying, that this may be picking up now?
>
> 3) There was a break of about 4 minutes between the scan sessions, that
> indicate a manual process to fire up the other scan.  All scans carry the
> SYN flag.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


---------------------------------------------
This message was sent using Endymion MailMan.
http://www.endymion.com/products/mailman/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com