Security Incidents mailing list archives

Re: Port 2000, 2002 scans

From: Bruce Anhalt <brucea () INSTALLSHIELD COM>
Date: Tue, 12 Sep 2000 17:06:33 -0500

I use to use run an IBM AS/400 and a MS Sql server with IIS and Site server.

We had to mirror data tables from the AS/400 to SQL and keep them
synchronized
on an e-commerce site for up to the minute inventory quotes and more.

Data mirror,(The name of the program) is made in Canada,
transfers and syncs on these ports.

The ports can be changed but those are defaults and the program is finicky.

The web/sql server and AS/400 have to communicate through the firewall and
these ports had to be used and open.

Hope this helps.


Bruce O. Anhalt
STE Lab Manager
InstallShield Software Corp.
mailto:brucea () installshield com
http://www.installshield.com
(847)413-8507


-----Original Message-----
From: Arnold, Jamie [mailto:harnold () BINGHAMTON EDU]
Sent: Tuesday, September 12, 2000 1:00 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Port 2000, 2002 scans


I have seen MANY machines with these ports open.  Too many, I think, for it
to be Transcout.  Sounds like there must be another explanation for this.


-----Original Message-----
From: Erik Tayler [mailto:nine () 14X NET]
Sent: Tuesday, September 12, 2000 12:14 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Port 2000, 2002 scans


It is a possibility that "user" is infected with TransScout [ a somewhat
old backdoor ]. For a FAQ and some more information about removing the
backdoor, go to link below:

http://members.tripod.de/transscout/tshelp.htm#faq1

If the user is not infected, read through RFC1445

http://www.cis.ohio-state.edu/htbin/rfc/rfc1445.html  [ or ]
http://www.landfield.com/rfcs/rfc1351.html

Could probably be a multitude of other things, 2000 seems to be on of
the "ports-of-choice" this year. Pfft.

Erik Tayler
http://www.14x.net/fx

"L.A. Smith" wrote:


Hello!

I have had hundreds of complaints from one user about port scans on his PC
for ports 2000 and 2002.  I know 2000 can be used for OpenWin.  I haven't
been able to get a straight answer from this person about what they're
running but seeing as they use Jammer as their firewall software (heh, not
my idea!), they must be running Windoze of some sort.  Could someone shed
some light as to what hundreds of IP addresses would want with their port
2000 and 2002?

Thanks!

Current thread:

Port 2000, 2002 scans L.A. Smith (Sep 12)
- Re: Port 2000, 2002 scans Elias Levy (Sep 12)
- AW: Port 2000, 2002 scans Roth, Peter (Sep 12)
- Re: Port 2000, 2002 scans Erik Tayler (Sep 12)
- <Possible follow-ups>
- Re: Port 2000, 2002 scans Arnold, Jamie (Sep 12)
  - Re: Port 2000, 2002 scans Erik Tayler (Sep 13)
- Re: Port 2000, 2002 scans Bruce Anhalt (Sep 13)
- Re: Port 2000, 2002 scans Stone, Sgt Michael A (Sep 13)