Firewall Wizards mailing list archives

Connection attempts to 13223

From: dreamwvr <dreamwvr () dreamwvr com>
Date: Wed, 24 Mar 1999 12:03:38 -0700

hi,
anyone know what attempted connects to port 13223 are aimed at achieving.
really found this one interesting but do not have any info on why that
specific port what the connector hoping to achieve on this specific port??
                                                        Regards,
                                                        dreamwvr () dreamwvr com
At 02:52 PM 3/23/99 -0800, David Gillett wrote:

On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:

I keep seeing people doing combination finger/IMAP scans on our
primary and secondary nameservers.  The number of sources is
increasing.  (And the firewall keeps blocking them.) The ratio is
usually about two fingers followed by an IMAP, they wil try several
dozen times, and then they quit. Does anyone recognize this as a
meaningful pattern?  If so, can someone tell me what they think they
are doing?  Assuming there is thought involved, of course.


 A common pattern we see includes two tries each at IMAP, finger, POP, 
telnet, mountd, and sometimes a couple of others.  Every time we've 
tracked it back, we've found someone's Linux box that has been cracked.


David G

Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL INTERNET SERVICES
Featuring Website Development and Web Strategies of a TOP Developer 
By Hand Since the Web Began.. Design, Development, Integration, Security
<http://www.dreamwvr.com/services/MAX_SEC.html>
DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
<*<*<* Proud Linux-Mandrake Distributor *>*>*>
<http://www.dreamwvr.com/mandrake/mandrake-dist.html>
"As Unique as the Company You Keep."        "===0 PGP Key Available  
________________________________________________________________________

Current thread:

finger/IMAP scans Neil Ratzlaff (Mar 23)
- Re: finger/IMAP scans David Gillett (Mar 23)
  - Re: finger/IMAP scans Darren Reed (Mar 24)
    - Re: finger/IMAP scans David Gillett (Mar 24)
- Message not available
  - Connection attempts to 13223 dreamwvr (Mar 24)
- <Possible follow-ups>
- Re: finger/IMAP scans Ken Fox (Mar 24)