Re: odd scan

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

On Sun, 4 Feb 2001, Kevin Holmquist wrote:

> Feb  4 03:20:37 64.218.84.240:3378 -> ***.***.***.145:81 SYN ******S*
> Feb  4 03:20:38 64.218.84.240:3384 -> ***.***.***.145:8008 SYN ******S*
> Feb  4 03:20:39 64.218.84.240:3385 -> ***.***.***.145:8080 SYN ******S*

> Any ideas why they would check ports 23, 79, 81? I know 23 is telnet
> and 79 is finger, but I haven't seen exploits for those lately (other
> than telnet being insecure).  Also, why port 81? Any new exploits for
> these ports?  I've seen reports of scans for 23 and 81 on sans.org,
> but noone seemed to know anything about them.

23 -- telnetd. IRIX haxs a major bug. also a good chance that if telnetd
is running without any access control security is lax.

79 -- fingerd. again, if its there, usually a stock install and lax
security.

81 -- often a web server control port. stupid on the part of the sogftware
designers. i think, for example, netscape's server (which comes with IRIX)
uses this port. just a nice quick fingerprint of the web server. apache,
for example, does not use it.

8008 and 8080 -- usually web server test or admin ports.

the web ports would be a nice fingerprint of a web server test box, often
with lax security (ie 'who would want to hijack my web testbed? who will
find it?') or just one with stupid defaults set up.

just my $0.02.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)