Security Incidents mailing list archives
Re: looking for what? portscan 15000/tcp
From: Skip Carter <skip () taygeta com>
Date: Fri, 23 Aug 2002 14:34:09 -0700
More curious is that it specifies the source port as 15000 as well. Generally, I've only seen source ports specified for two reasons -- to get around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to look like DNS responses or when someone's hunting for a backdoor the uses the source port as part of the authentication mechanism.
I suspect that the fact that the source port and destination ports are both the same reflects common origin of this exploit tool with that of other probe tools (there is one that does this for ssh on 22 and ftp on 21). Perhaps the original author was confused about the src/dest port designations or was trying to fool an early firewall, and set the two to the same. Then that code became the starting point for multiple probe tools ever since. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- looking for what? portscan 15000/tcp Fabio Pietrosanti (naif) (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)
- Re: looking for what? portscan 15000/tcp Skip Carter (Aug 23)
- <Possible follow-ups>
- RE: looking for what? portscan 15000/tcp Cushing, David (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)