Security Incidents mailing list archives
Re: odd scan
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Sun, 4 Feb 2001 14:35:47 -0500
On Sun, 4 Feb 2001, Kevin Holmquist wrote:
Feb 4 03:20:37 64.218.84.240:3378 -> ***.***.***.145:81 SYN ******S* Feb 4 03:20:38 64.218.84.240:3384 -> ***.***.***.145:8008 SYN ******S* Feb 4 03:20:39 64.218.84.240:3385 -> ***.***.***.145:8080 SYN ******S*
Any ideas why they would check ports 23, 79, 81? I know 23 is telnet and 79 is finger, but I haven't seen exploits for those lately (other than telnet being insecure). Also, why port 81? Any new exploits for these ports? I've seen reports of scans for 23 and 81 on sans.org, but noone seemed to know anything about them.
23 -- telnetd. IRIX haxs a major bug. also a good chance that if telnetd is running without any access control security is lax. 79 -- fingerd. again, if its there, usually a stock install and lax security. 81 -- often a web server control port. stupid on the part of the sogftware designers. i think, for example, netscape's server (which comes with IRIX) uses this port. just a nice quick fingerprint of the web server. apache, for example, does not use it. 8008 and 8080 -- usually web server test or admin ports. the web ports would be a nice fingerprint of a web server test box, often with lax security (ie 'who would want to hijack my web testbed? who will find it?') or just one with stupid defaults set up. just my $0.02. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- odd scan Kevin Holmquist (Feb 04)
- Re: odd scan Jose Nazario (Feb 04)
- Re: odd scan Daniel R. Warner (Feb 04)