Re: scan on TCP/21536

[Grzegorz Janoszka <grzesjan () ONET PL>]

On Sat, 23 Dec 2000, Rude Yak wrote:

>   Someone posted about scans from TCP 18245 to TCP 21536 recently, and received
> replies that the scan was an unidentified tool, with the source mostly coming
> from Poland.  I've been seeing a rash of these scans lately, except they are
> accompanied simultaneously with scans for Firewall-1 services (TCP 256, 259)
> and coming from a US-based ISP.  Thought I'd add a bit of fuel to the fire...

We've posted some information about 18245/21536 recently, but you probably
missed it. TCP packets comming from 18245 to 21536 are not scans, but
corrupted packets. They are TCP packets WITHOUT TCP header, there is IP
header and TCP data immediatly after it.
String "GET " in TCP data placed in the place of TCP header means
connection from port 18245 to 21536.
Polish Telecom (tpnet.pl) has corrupted access-server which produce such
packets.

--
Grzegorz Janoszka,  Onet.PL S.A. NA