Re: Port 109 scanning

[Andy Duncan <andyduncan () MOTIVES CO UK>]

Yeah, I had me one of those:


[**] spp_portscan: PORTSCAN DETECTED from 209.34.16.122 (STEALTH) [**]
11/01-13:29:36.432711
[**] SCAN-SYN FIN [**]
11/01-13:29:36.405926 209.34.16.122:109 -> 212.x.x.x:109
TCP TTL:24 TOS:0x0 ID:39426
**SF**** Seq: 0x5297F633   Ack: 0x511E051C   Win: 0x404


and speaking of virtually abandoned protocols, I had one on gopher a
few days previously:


[**] spp_portscan: PORTSCAN DETECTED from 198.108.64.13 (STEALTH) [**]
10/31-07:41:22.405191
[**] SCAN-SYN FIN [**]
10/31-07:41:22.338681 198.108.64.13:70 -> 212.x.x.x:70
TCP TTL:25 TOS:0x0 ID:39426
**SF**** Seq: 0x506113C6   Ack: 0x582CAC4A   Win: 0x404


> -----Original Message-----
> From: A.L.Lambert [mailto:alambert () EPICREALM COM]
> Sent: 06 November 2000 13:26
> To: INCIDENTS () securityfocus com
> Subject: Port 109 scanning
>
>
>       I'm curious if anyone else has been getting port 109 SYN/FIN
> scan's lately? (src 109 -> dst 109).  I've gotten them from
> two separate
> sources, several days apart (looks like a sequential scan of multiple
> class A networks), and I thought it was a bit odd, since last time I
> heard, POP2 was a virtually abandoned protocol (at least I've
> never seen
> it in use, and I've been mucking around on the net for a long
> time now),
> and in this day and age, a SYN/FIN scan is almost certain to set off
> IDS's.
>
>       Normally a targeted scan looking for something that
> won't hurt my
> network wouldn't do much more than wake me up enough to
> e-mail the admin's
> of the offending network, but this one has my curiosity
> aroused, since on
> the surface, it looks both noisy, and pointless (or are there
> vulnerable
> pop2 servers all over the net that I'm unaware of?).
>
>       The source of the scan's were 204.31.162.252, and 209.84.237.75,
> and the targets were in the 200.x.x.x and 213.x.x.x netblock's.
>
>       Anyway, anyone with comments/thoughts, I'd be
> interested.  Thanks
> in advance.
>
>       --A.L.Lambert