Security Incidents mailing list archives

Re: update on scans of tcp 12345 AUSCERT#36349

From: sterwill () SOURCEGEAR COM (Shaw Terwilliger)
Date: Thu, 8 Jun 2000 11:09:31 -0500


Russell Fulton wrote:

Oh, yes.  Source addresses seem to be mostly dialup or cable/dsl
address and are spread around the world.

APNIC addresses (210.0.0.0/7) are over represented -- between third and
a half. Those that I looked up were predominantly Korean with a few in
Japan. There are quite a lot form home.com, sympatico.ca,
videotron.net, da.uu.net (cable providers?), and a smattering from
around the rest of the world including Europe.


I have a single static IP dialup, and two days ago I received a similar
scan on 12345, so it's not just you.  It appears to be from a cable
provider (excite@home).

Jun  6 20:20:11 port 12345 connection attempt from cr458475-a.lndn1.on.wave.home
.com [24.112.54.236]

--
Shaw Terwilliger <sterwill () sourcegear com>

Current thread:

update on scans of tcp 12345 AUSCERT#36349 Russell Fulton (Jun 05)
- Re: update on scans of tcp 12345 AUSCERT#36349 Shaw Terwilliger (Jun 08)
- unknown trojan (attached) Jeremy L. Gaddis (Jun 08)
  - ** New DDoS / Trojan ** nine (Jun 10)
    - Re: ** New DDoS / Trojan ** Pierre Vandevenne (Jun 12)
  - Re: unknown trojan (attached) Brandon Kittler (Jun 10)
    - Re: unknown trojan (attached) Doug Kahler (Jun 12)
    - .:: 14x :: Information :: New DDoS/Trojan ::. Erik Tayler (Jun 13)
    - Re: .:: 14x :: Information :: New DDoS/Trojan ::. Lic. Rodolfo Gonzalez Gonzalez (Jun 15)
    - IRC connect through apache ???? arhuman () HOTMAIL COM (Jun 14)
    - Re: IRC connect through apache ???? Eric Vyncke (Jun 15)
- Re: update on scans of tcp 12345 AUSCERT#36349 orestes () DORIAN 2Y NET (Jun 08)

(Thread continues...)