Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Anyone have any ideas?

From: Jim Starke <jstarke () ptd net>
Date: Mon, 14 May 2001 23:25:43 -0400
While running ethereal tonight I saw someone scanning all of the ip
addresses. I scrolled back and saw that my box was pinged twice and then
approximately 7 minutes later, I saw an attempt to connect to port 1405
all by the same ip address.

  No. Time                       Source               
Destination           Protocol Info
18960 2001-05-14 22:25:08.2490   206.239.3.90         
xx.xxx.xx.xx          ICMP     Echo (ping) request
18961 2001-05-14 22:25:09.2592   206.239.3.90         
xx.xxx.xx.xx          ICMP     Echo (ping) request
19236 2001-05-14 22:32:44.2349   206.239.3.90         
xx.xxx.xx.xx          TCP      79 > 1405 [RST, ACK] Seq=0 Ack=3813890208
Win=0 Len=0

I researched and found out the following information.

ibm-res         1405/tcp   IBM Remote Execution Starter
ibm-res         1405/udp   IBM Remote Execution Starter

[whois.arin.net]
Verio, Inc. (NET-VRIO-206-239)
   8005 South Chester Street
   Englewood, CO 80112
   US

   Netname: VRIO-206-239
   Netblock: 206.239.0.0 - 206.239.255.255
   Maintainer: VRIO

   Coordinator:
      Verio, Inc.  (VIA4-ORG-ARIN)  vipar () verio net
      303.645.1900

   Domain System inverse mapping provided by:

   NS0.VERIO.NET                129.250.15.61
   NS1.VERIO.NET                204.91.99.140
   NS2.VERIO.NET                129.250.31.190

   ********************************************
   Reassignment information for this block is
   available at rwhois.verio.net port 4321
   ********************************************

   Record last updated on 20-Aug-2000.
   Database last updated on 12-May-2001 22:47:54 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

I guess my questions are why they were attempting to connect to port
1405 (I don't have any services on that port) and why would they be
using port 79 to make the connection?

Thanks in advance.

Jim

-- 
Quidquid latine dictum sit, altum viditur.
Previous By Date Next
Previous By Thread Next

Current thread: