Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

TCP scans

From: emperor () SQUONK NET (Roy Wilson)
Date: Thu, 17 Feb 2000 09:02:49 -0500

On Wed, 16 Feb 2000 07:19:12 -0800, Stephen Friedl wrote:


Hello all,

For *two days*, an ADMROCKS-compromised machine in New Jersey has been doing
a scan for TCP port 5 (what's this?), and the owner of the box refused to
pull the plug while he fools with it. What's the best way to handle this?


        I'm getting the same kind of idiocy from webtv.net:

02/15/00 22:42:26 Firewall blocked access (TCP Port 8626) from
209.240.200.22 (TCP Port 1650)
02/15/00 22:42:26 Firewall blocked access (TCP Port 8629) from
209.240.200.22 (TCP Port 1650)
02/15/00 22:46:02 Firewall blocked access (TCP Port 8626) from
209.240.200.22 (TCP Port 1650)
Occurred 12 times between 22:46:18 and 22:47:14 (02/15/00)
Firewall blocked access (TCP Port 8629) from 209.240.200.22 (TCP Port
1650)
02/15/00 22:49:02 Firewall blocked access (TCP Port 8624) from
209.240.200.22 (TCP Port 1650)

        They've been at it for weeks.  Complaints to them got me this:

 If you are reporting an attack on your computer from one of our
servers, and you have a dynamic IP address assigned to you, please talk
to your ISP about getting a static IP address. WebTV servers send
information to WebTV clients. If the client quietly goes away and your
system comes online with the same IP address, your system will see our
packets. This is very common with dynamic IP addresses and is not a
security attack from our site.

        My ISP, myself, and everyone I've talked to agree that the
above is just so much bovine feces.

        The question is *who* is actually compromised here, webtv.net
or msn.com.

        My firewall is sending these requests to the bit bucket
unacknowledged, anyone have anything cute I could bind to those high
ports to annoy the scanner?

        I've already threatened them with the ultimate nuclear weapon,
a lawyer.  They really don't seem to give a damn.  And they refuse to
answer my question as to if it's on purpose, WHY are they port scanning
THEIR clients?

        And why such odd high port numbers?  Anyone know of anything
evil out there that would install and bind to those ports on user-level
machines?

Roy Wilson  <emperor () squonk net> <CM# 1663>
PGP Key available from certserver.pgp.com or pgpkeys.mit.edu

PGP Public Key Fingerprint: AD1E 4812 56DC 89DD  8C98 4919 5D90 82AF
Previous By Date Next
Previous By Thread Next

Current thread: