Security Incidents mailing list archives

Re: 1953 & 1808

From: esj () CS FIU EDU (Eric S. Johnson)
Date: Thu, 3 Feb 2000 19:29:33 -0500

I have been receiving very slow, widely spaced attempts to
ports 1808 and 1953 on two different networks for the past
week, ...
The scans - 4 or 5 a day, separated by 5-6 hours, were
initially from an IP calling itself 'office.portal.ru',

1808/tcp is listed as Oracle-VP2 but 1953 is unassigned.

Has anyone received anything like this also, and any idea
what they are hoping for?  Thanks for response!


I have seen something like this too recently, hitting our campus /16 network
office.portal.ru (195.16.97.35) is scanning about 1 host/minute.

2000.01.30/195.16.97.35 - office.portal.ru - 344 host addrs
                                           - 29 dst ports (random?)
                                           - 9 src ports (6660-6668)

2000.01.31/195.16.97.35 - office.portal.ru - 994 host addrs
                                           - 2 dst ports 1479/1624
                                           - 1 src port 6667

2000.02.01/195.16.97.35 - office.portal.ru - 1065 host addrs
                                           - 2 dst ports 1479/1624
                                           - 1 src port 6667

2000.02.02/195.16.97.35 - office.portal.ru - 473 host addrs
                                           - 2 dst ports 1479/1624
                                           - 1 src port 6667

Seems HP printers are responding to this probe.

E

Current thread:

1953 & 1808 godel () TECHNOLOGIST COM (Feb 03)
- Re: 1953 & 1808 Eric S. Johnson (Feb 03)
- <Possible follow-ups>
- Re: 1953 & 1808 Bill Royds (Feb 03)