Security Incidents mailing list archives
Re: What's this a probe for?
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 17 Feb 2000 17:10:51 -0800
I don't think so, but I think it is related. The DDoS floods came from Sun servers that were compromised by RPC services like cmsd, toolktalk, statd, etc. These services usually run on dynamically assigned port numbers, and you discover which by sending a request to the portmapper service at port 111. However, Sun machine start allocating their dynamic port assignments at around 32771. A probe for 32773 means that the hacker is hoping that you (or others in your address range have a sun workstation, and that the exploit he/she is scanning for runs at port 32773. On my machine, cachefsd is running at that port. I am not aware of any attacks against that service. My guess is that on the hacker's machine, cmsd is running at that port, and he/she is scanning the Internet for similarly configured machines. Robert Graham -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Brett Glass Sent: Wednesday, February 16, 2000 12:58 PM To: INCIDENTS () securityfocus com Subject: What's this a probe for? A log entry from BlackICE Defender: 59, 2000-02-16 20:15:22, 2003102, TCP port probe, 211.40.176.54, <victim IP deleted>, 1, , port=32773, 1 Is this a DDoS ping?
Current thread:
- What's this a probe for? Brett Glass (Feb 16)
- Re: What's this a probe for? Robert Graham (Feb 17)
- Incident Management Wozz (Feb 17)
- Re: Incident Management Andrew Steingruebl (Feb 21)
- Re: Incident Management Martin A. Brown (Feb 21)
- Re: Incident Management Jose Nazario (Feb 21)
- Re: Incident Management Security (Feb 21)
- Port 8 Edwin Covert (Feb 22)
- Re: Incident Management Wozz (Feb 21)
- Incident Management Wozz (Feb 17)
- Re: What's this a probe for? Cold Fire (Feb 18)
- Re: What's this a probe for? Robert Graham (Feb 17)
- Re: What's this a probe for? Jens Hektor (Feb 17)