Security Incidents mailing list archives
Re: Port 109 scanning
From: Andy Duncan <andyduncan () MOTIVES CO UK>
Date: Tue, 7 Nov 2000 12:41:07 -0000
Yeah, I had me one of those: [**] spp_portscan: PORTSCAN DETECTED from 209.34.16.122 (STEALTH) [**] 11/01-13:29:36.432711 [**] SCAN-SYN FIN [**] 11/01-13:29:36.405926 209.34.16.122:109 -> 212.x.x.x:109 TCP TTL:24 TOS:0x0 ID:39426 **SF**** Seq: 0x5297F633 Ack: 0x511E051C Win: 0x404 and speaking of virtually abandoned protocols, I had one on gopher a few days previously: [**] spp_portscan: PORTSCAN DETECTED from 198.108.64.13 (STEALTH) [**] 10/31-07:41:22.405191 [**] SCAN-SYN FIN [**] 10/31-07:41:22.338681 198.108.64.13:70 -> 212.x.x.x:70 TCP TTL:25 TOS:0x0 ID:39426 **SF**** Seq: 0x506113C6 Ack: 0x582CAC4A Win: 0x404
-----Original Message----- From: A.L.Lambert [mailto:alambert () EPICREALM COM] Sent: 06 November 2000 13:26 To: INCIDENTS () securityfocus com Subject: Port 109 scanning I'm curious if anyone else has been getting port 109 SYN/FIN scan's lately? (src 109 -> dst 109). I've gotten them from two separate sources, several days apart (looks like a sequential scan of multiple class A networks), and I thought it was a bit odd, since last time I heard, POP2 was a virtually abandoned protocol (at least I've never seen it in use, and I've been mucking around on the net for a long time now), and in this day and age, a SYN/FIN scan is almost certain to set off IDS's. Normally a targeted scan looking for something that won't hurt my network wouldn't do much more than wake me up enough to e-mail the admin's of the offending network, but this one has my curiosity aroused, since on the surface, it looks both noisy, and pointless (or are there vulnerable pop2 servers all over the net that I'm unaware of?). The source of the scan's were 204.31.162.252, and 209.84.237.75, and the targets were in the 200.x.x.x and 213.x.x.x netblock's. Anyway, anyone with comments/thoughts, I'd be interested. Thanks in advance. --A.L.Lambert
Current thread:
- Port 109 scanning A.L.Lambert (Nov 07)
- Re: Port 109 scanning Jay D. Dyson (Nov 08)
- Re: Port 109 scanning Jander Sunstar (Nov 08)
- <Possible follow-ups>
- Re: Port 109 scanning azimuth (Nov 08)
- Re: Port 109 scanning Fernando Cardoso (Nov 08)
- Re: Port 109 scanning Andy Duncan (Nov 08)