Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1953 & 1808

From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Thu, 3 Feb 2000 23:12:03 -0500

We have received thousands. Interesting thing is that the source port is 6666 or
6667 which is often used by IRC. It looks like someone is trying to spoff an IRC
return packet to drop a nasty payload.

godel () TECHNOLOGIST COM on 2000/02/03 08:59:04

Please respond to godel () TECHNOLOGIST COM

 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)

 Subject: 1953 & 1808

I have been receiving very slow, widely spaced attempts to
ports 1808 and 1953 on two different networks for the past
week, both NT but not in the same netblock or even class.
The scans - 4 or 5 a day, separated by 5-6 hours, were
initially from an IP calling itself 'office.portal.ru',
which indicated it was located in the corporate headquarters
of a large, active commercial ISP in Russia.  Last night the
same attempts apparently from a university, also in Russia.

1808/tcp is listed as Oracle-VP2 but 1953 is unassigned.

Has anyone received anything like this also, and any idea
what they are hoping for?  Thanks for response!

Missy
Previous By Date Next
Previous By Thread Next

Current thread: