Re: Scan of on port 5232

[Ryan Pendergraff <rpendergraff () TRADEINFO COM>]

    Looks like a scan for an SGI render farm...
Port 5232 is used by SGI distributed graphics.


> We were on the receiving end of a scan on port 5232 the other night. I
> have been unable to figure out what they might be looking for...
>
> Aug  8 21:18:59 204.97.241.16:1323 -> a.b.c.1:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1325 -> a.b.c.3:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1347 -> a.b.c.25:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1352 -> a.b.c.30:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1356 -> a.b.c.34:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1358 -> a.b.c.36:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1361 -> a.b.c.39:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1362 -> a.b.c.40:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1363 -> a.b.c.41:5232 SYN **S*****
> Aug  8 21:18:59 204.97.241.16:1364 -> a.b.c.42:5232 SYN **S*****
>
>
> The only thing I have really found is a mention of a similar scan on the
> SANS site:
>
> http://www.sans.org/y2k/041200.htm
>
> (relevant excerpt)
> Apr 9 01:31:16 163.152.41.8:16628 -> a.b.d.52:5232 SYN **S*****
> Apr 9 01:31:17 163.152.41.8:16883 -> a.b.e.52:5232 SYN **S*****
> Apr 9 01:31:17 163.152.41.8:16889 -> a.b.e.58:5232 SYN **S*****
> Apr 9 01:31:17 163.152.41.8:16892 -> a.b.e.61:5232 SYN **S*****
> Apr 9 01:31:17 163.152.41.8:16894 -> a.b.e.63:5232 SYN **S*****
>
> Any ideas? My only guess is that they meant to hit 5232 and got
> confused..
>
> Thanks,
> Rob