Security Incidents mailing list archives
Scans
From: scotta () GNAC COM (Scott Armstrong)
Date: Mon, 17 Jan 2000 09:30:27 -0800
Several of the firewalls I monitor have been scanned for TCP 2766 and UDP 2140. The scan for 2140 always has a source
port of 60000, while the source port for 2766 varies.
I researched the ports and could find nothing on 2140. 2766 comes up as Compaq SCP which seems to have something to do
with Compaq GIGAswitches and the "switch control processor". Anyone know what they might be looking for?
Cleansed logs are,
First Clients Firewall:
Jan 16 14:27:01 firstfirewall unix: securityalert: no match found in local screen: TCP if=qfe1 srcaddr=24.112.237.202
srcport=38467 dstaddr=client1host1 dstport=2766
Jan 16 14:27:13 firstfirewall unix: securityalert: tcp if=qfe1 from 24.112.237.202:38907 to client1host2 on unserved
port 2766
Jan 16 19:25:45 firstfirewall unix: securityalert: udp if=qfe1 from 24.188.66.243:60000 to client1host3 on unserved
port 2140
Second Clients Firewall:
Jan 16 14:24:34 secondfirewall unix: securityalert: tcp if=hme1 from 24.112.237.202:42967 to client2host4 on unserved
port 2766
Jan 16 14:28:42 secondfirewall unix: securityalert: no match found in local screen: TCP if=hme1 srcaddr=24.112.237.202
srcport=42356 dstaddr=client2host5 dstport=2766
Jan 16 19:25:46 secondfirewall unix: securityalert: udp if=hme1 from 24.188.66.243:60000 to client2host6 on unserved
port 2140
Other relevant info:
24.112.237.202 = cr558296-b.wlfdle1.on.wave.home.com
Rogers@Home Ontario (NETBLK-ROGERS-1-BLOCK) ROGERS-1-BLOCK
24.112.0.0 - 24.112.255.255
Rogers@Home Wolfedale (NETBLK-ON-ROG-WFDL-7) ON-ROG-WFDL-7
24.112.236.0 - 24.112.239.255
24.188.66.243 = d66-243.mlfdct.optonline.net
Optimum Online (Cablevision Systems) (NETBLK-NETBLK-OOL) NETBLK-OOL
24.188.0.0 - 24.188.255.255
Cablevision Systems Corp (NETBLK-OOL-MLFDCT-UBR1-CA5-0) OOL-MLFDCT-UBR1-CA5-0
24.188.66.0 - 24.188.66.255
Thanks,
Scott
Current thread:
- Scans Scott Armstrong (Jan 17)