Security Incidents mailing list archives
Scans on 1240/tcp?
From: blackavar () citizensofgravity com
Date: Mon, 3 Nov 2003 09:35:25 -0500
Anyone recognise the following...? 08:36:21.267966 130.225.xxx.xxx.40497 > 24.157.xxx.xxx.1240: S 3374685220:3374685220(0) win 24820 <nop,nop,sackOK,mss 1460> (DF) 0x0000 4500 0030 7073 4000 2d06 c5aa 82e1 xxxx E..0ps@.-.....3E 0x0010 189d xxxx 9e31 04d8 c925 9c24 0000 0000 ..H..1...%.$.... 0x0020 7002 60f4 022d 0000 0101 0402 0204 05b4 p.`..-.......... My home connection is getting whacked with this basically 24/7 from a limited set of attack IPs. The scanner sends 7 SYNs to 1240/tcp, all looking like normal Windows SYN packets, no data. IPID is incrementing normally. Source port and sequence number are incrementing between each series of connection attempts, so I think he must be scanning other IPs as well. The router is catching it all, so it's not a threat, but I am wondering what the heck it is. I googled the port and found a couple of references to a Windows trojan that I have never heard of, nor seen in the wild. I only see this scanning on my home IP. (I don't even HAVE any Windoze boxes here.) Anyone else seeing and/or recognise this? --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Scans on 1240/tcp? blackavar (Nov 03)