Full Disclosure mailing list archives
Re: TCP Port 42 port scans? What the heck over...
From: Matt Ostiguy <ostiguy () gmail com>
Date: Mon, 13 Dec 2004 14:33:42 -0500
http://isc.sans.org/port_details.php?port=42&repax=1&tarax=2&srcax=2&percent=N&days=70&Redraw= Shows a fairly large spike over the weekend. 42 is used for WINS (MS's netbios name server) replication, and recently the Immunitysec folks found an exploitable bug in the WINS service. Still, given how few people one would expect to have that port accessible through a firewall, or just how low the percentage of windows servers running WINS is, it is somewhat of a strange target if it is indeed an attempted WINS exploit. Matt On Mon, 13 Dec 2004 06:46:38 -0700, James Lay <jlay () ameriben com> wrote:
Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 workbox kernel: IN=eth0 OUT= MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 James Lay Network Manager/Security Officer AmeriBen Solutions/IEC Group Deo Gloria!!! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TCP Port 42 port scans? What the heck over... James Lay (Dec 13)
- Re: TCP Port 42 port scans? What the heck over... Dave Aitel (Dec 13)
- RE: TCP Port 42 port scans? What the heck over... Dave Killion (Dec 13)
- RE: Cipher Tool richard capistrano (Dec 15)
- Re: RE: Cipher Tool James Tucker (Dec 18)
- Re: RE: Cipher Tool Ron DuFresne (Dec 22)
- Re: RE: Cipher Tool Willem Koenings (Dec 22)
- RE: Cipher Tool richard capistrano (Dec 15)
- Re: TCP Port 42 port scans? What the heck over... Ron (Dec 14)
- Re: TCP Port 42 port scans? What the heck over... Daniel F. Chief Security Engineer - (Dec 14)
- Re: TCP Port 42 port scans? What the heck over... Maxime Ducharme (Dec 14)
- Re: TCP Port 42 port scans? What the heck over... Matt Ostiguy (Dec 14)
- Re: TCP Port 42 port scans? What the heck over... Valdis . Kletnieks (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Matt Ostiguy (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Ron DuFresne (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Valdis . Kletnieks (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Ron DuFresne (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Dave Aitel (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Valdis . Kletnieks (Dec 22)
- Re: TCP Port 42 port scans? What the heck over... Niek (Dec 15)
- Re: TCP Port 42 port scans? What the heck over... Kevin Finisterre (Dec 15)