Security Incidents mailing list archives
Scans
From: scotta () GNAC COM (Scott Armstrong)
Date: Mon, 17 Jan 2000 09:30:27 -0800
Several of the firewalls I monitor have been scanned for TCP 2766 and UDP 2140. The scan for 2140 always has a source port of 60000, while the source port for 2766 varies. I researched the ports and could find nothing on 2140. 2766 comes up as Compaq SCP which seems to have something to do with Compaq GIGAswitches and the "switch control processor". Anyone know what they might be looking for? Cleansed logs are, First Clients Firewall: Jan 16 14:27:01 firstfirewall unix: securityalert: no match found in local screen: TCP if=qfe1 srcaddr=24.112.237.202 srcport=38467 dstaddr=client1host1 dstport=2766 Jan 16 14:27:13 firstfirewall unix: securityalert: tcp if=qfe1 from 24.112.237.202:38907 to client1host2 on unserved port 2766 Jan 16 19:25:45 firstfirewall unix: securityalert: udp if=qfe1 from 24.188.66.243:60000 to client1host3 on unserved port 2140 Second Clients Firewall: Jan 16 14:24:34 secondfirewall unix: securityalert: tcp if=hme1 from 24.112.237.202:42967 to client2host4 on unserved port 2766 Jan 16 14:28:42 secondfirewall unix: securityalert: no match found in local screen: TCP if=hme1 srcaddr=24.112.237.202 srcport=42356 dstaddr=client2host5 dstport=2766 Jan 16 19:25:46 secondfirewall unix: securityalert: udp if=hme1 from 24.188.66.243:60000 to client2host6 on unserved port 2140 Other relevant info: 24.112.237.202 = cr558296-b.wlfdle1.on.wave.home.com Rogers@Home Ontario (NETBLK-ROGERS-1-BLOCK) ROGERS-1-BLOCK 24.112.0.0 - 24.112.255.255 Rogers@Home Wolfedale (NETBLK-ON-ROG-WFDL-7) ON-ROG-WFDL-7 24.112.236.0 - 24.112.239.255 24.188.66.243 = d66-243.mlfdct.optonline.net Optimum Online (Cablevision Systems) (NETBLK-NETBLK-OOL) NETBLK-OOL 24.188.0.0 - 24.188.255.255 Cablevision Systems Corp (NETBLK-OOL-MLFDCT-UBR1-CA5-0) OOL-MLFDCT-UBR1-CA5-0 24.188.66.0 - 24.188.66.255 Thanks, Scott
Current thread:
- Scans Scott Armstrong (Jan 17)