Re: Port 109 scanning

[Jander Sunstar <jander () DARKFLAME NET>]

I have seen the same thing on my network here,from the same IP addresses.
Also followed by a scan for 143(imap) all across our /19.




Rick Harris
UNIX Administrator
Internet Global/Telares
jander () iglobal net <mailto:jander () iglobal net>

"In a time of insanity, let a madman lead the way"



-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of A.L.Lambert
Sent: Monday, November 06, 2000 7:26 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Port 109 scanning


        I'm curious if anyone else has been getting port 109 SYN/FIN
scan's lately? (src 109 -> dst 109).  I've gotten them from two separate
sources, several days apart (looks like a sequential scan of multiple
class A networks), and I thought it was a bit odd, since last time I
heard, POP2 was a virtually abandoned protocol (at least I've never seen
it in use, and I've been mucking around on the net for a long time now),
and in this day and age, a SYN/FIN scan is almost certain to set off
IDS's.

        Normally a targeted scan looking for something that won't hurt my
network wouldn't do much more than wake me up enough to e-mail the admin's
of the offending network, but this one has my curiosity aroused, since on
the surface, it looks both noisy, and pointless (or are there vulnerable
pop2 servers all over the net that I'm unaware of?).

        The source of the scan's were 204.31.162.252, and 209.84.237.75,
and the targets were in the 200.x.x.x and 213.x.x.x netblock's.

        Anyway, anyone with comments/thoughts, I'd be interested.  Thanks
in advance.

        --A.L.Lambert