Security Incidents mailing list archives
Re: Who is looking for port 2036?
From: Tillmann Werner <tillmann.werner () gmx de>
Date: Wed, 26 Oct 2005 21:48:53 +0200
Joakim,
The scan seems to be from a large botnet, across the world.
What makes you believe the attack's origin is a botnet?
They have only targeted one ip, and it doesn't respond to those ports.
Your samples only showed port 2036/tcp on a very low frequency. Is this representative for a longer period? What is the percentage of port 80/tcp packets?
Is it the tryout of a new worm?
Unlikely, if it only targets a single ip address which does not respond. Http might be used as destination port for such packets are likely to go through firewalls. If you are interested in furhter investigation, you could run netcat on the attacked host to see if connection establishment goes on and if there arrives any data. Tillmann
Current thread:
- Who is looking for port 2036? Joakim Berge (Oct 25)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? mis (Oct 27)
- Re: Who is looking for port 2036? Justin (Oct 28)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)