Re: Port 109 scanning

["Jay D. Dyson" <jdyson () TREACHERY NET>]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 6 Nov 2000, A.L.Lambert wrote:

>       I'm curious if anyone else has been getting port 109 SYN/FIN
> scan's lately? (src 109 -> dst 109).  I've gotten them from two separate
> sources, several days apart (looks like a sequential scan of multiple
> class A networks), and I thought it was a bit odd, since last time I
> heard, POP2 was a virtually abandoned protocol (at least I've never seen
> it in use, and I've been mucking around on the net for a long time now),
> and in this day and age, a SYN/FIN scan is almost certain to set off
> IDS's.

        I haven't seen any scans, but I know there are some agencies that
unwittingly do have POP2 enabled.  As recent as 1996, Sun Microsystems was
shipping Netra i systems (Solaris 2.4) with POP2 enabled.  Unfortunately,
those "easy-to-use" systems often fell into the hands of people who just
plugged 'em in, turned 'em on, and dropped them on the 'net.  Offhand, I'd
guess that there are at least a half-dozen Netra i's still running (and
probably with their default installs) where I used to work full time.

- -Jay

   (                                                              ______
   ))   .--- "There's always time for a good cup of coffee" ---.   >===<--.
 C|~~| (>-------- Jay D. Dyson -- jdyson () treachery net --------<) |   = |-'
  `--'  `----------- My other car is a Sparc Ultra. -----------'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOgcJkNCClfiU/BIVAQGnUQP/bf5ZnDu5XfbDc9pm4fKnRIAq+m3twJbN
dfi5LbQvdQl/ff2BPK9rRWLgNN+rBM2XinTVSlKQTFAQpd585Rye9uAuuIrX2ME2
GsMkx6IuqE9s/s7bvtZ+Ab12u1x4QAV1oGTG28k16U79DAICtAAhHyWL1/z//ajW
JUIl50FcOwk=
=MpMM
-----END PGP SIGNATURE-----