Security Incidents mailing list archives
Re: looking for what? portscan 15000/tcp
From: Thomas Cannon <tcannon () noops org>
Date: Fri, 23 Aug 2002 10:58:14 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 23 Aug 2002, Fabio Pietrosanti (naif) wrote:
Today i found it on a very important network...
<snip>
Aug 23 07:37:12 router 548143: Aug 23 07:40:15 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.1(15000), 1 packet Aug 23 07:37:13 router 548144: Aug 23 07:40:17 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.95(15000), 1 packetFrom http://www.thekoala.com/ports.htm i found that could be- 15000 TCP Netdemon but i'm curious regarding: - two scan attempt was done ( 07:37:06 & 07:40:17 ) - why not every host was scanned but only some of them? Regards -naif
More curious is that it specifies the source port as 15000 as well. Generally, I've only seen source ports specified for two reasons -- to get around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to look like DNS responses or when someone's hunting for a backdoor the uses the source port as part of the authentication mechanism. That some of the hosts were skipped does not suprise me -- scanning while controlling the source port is slow and awkward, and it would be easy for someone to trip up the code to do it. That, or maybe they already tried running an exploit against certain hosts and now it's going back and checking only those -- twice. Maybe they ran the exploit twice, just to be thorough? Well, that's all the guessing I have in me after one cup of coffee. Cheers, - -tcannon "No brain, no headache" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Zne4aQMXAlxQFWcRAkmlAKDB694l5gix8Yj6BdFVoaxq/TGkawCgnNib uzeqsMqPZU4xXiPMrhUqs00= =59nL -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- looking for what? portscan 15000/tcp Fabio Pietrosanti (naif) (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)
- Re: looking for what? portscan 15000/tcp Skip Carter (Aug 23)
- <Possible follow-ups>
- RE: looking for what? portscan 15000/tcp Cushing, David (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)