Security Incidents mailing list archives

Re: looking for what? portscan 15000/tcp

From: Skip Carter <skip () taygeta com>
Date: Fri, 23 Aug 2002 14:34:09 -0700

More curious is that it specifies the source port as 15000 as well.
Generally, I've only seen source ports specified for two reasons -- to get
around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to
look like DNS responses or when someone's hunting for a backdoor the uses
the source port as part of the authentication mechanism.


  I suspect that the fact that the source port and destination ports are both
  the same reflects common origin of this exploit tool with that of other
  probe tools (there is one that does this for ssh on 22 and ftp on 21).
  Perhaps the original author was confused about the src/dest port designations
  or was trying to fool an early firewall, and set the two to the same.
  Then that code became the starting point for multiple probe tools ever since.




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

looking for what? portscan 15000/tcp Fabio Pietrosanti (naif) (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)
  - Re: looking for what? portscan 15000/tcp Skip Carter (Aug 23)
- <Possible follow-ups>
- RE: looking for what? portscan 15000/tcp Cushing, David (Aug 23)