Security Incidents mailing list archives
looking for what? portscan 15000/tcp
From: "Fabio Pietrosanti (naif)" <naif () blackhats it>
Date: Fri, 23 Aug 2002 14:08:04 +0200
Today i found it on a very important network... Aug 23 07:34:02 router 548124: Aug 23 07:37:06 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.1(15000), 1 packet Aug 23 07:34:03 router 548125: Aug 23 07:37:07 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.102(15000), 1 packet Aug 23 07:34:04 router 548126: Aug 23 07:37:08 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.1.204(15000), 1 packet Aug 23 07:34:05 router 548127: Aug 23 07:37:09 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.49(15000), 1 packet Aug 23 07:34:06 router 548128: Aug 23 07:37:10 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.151(15000), 1 packet Aug 23 07:34:07 router 548129: Aug 23 07:37:11 MEST: %SEC-6-IPACCESSLOGP: list 105 denied tcp 210.117.126.206(15000) -> xx.xx.2.248(15000), 1 packet Aug 23 07:34:10 router 548130: Aug 23 07:37:14 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.1(15000), 1 packet Aug 23 07:34:11 router 548131: Aug 23 07:37:15 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.103(15000), 1 packet Aug 23 07:34:12 router 548132: Aug 23 07:37:16 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.4.202(15000), 1 packet Aug 23 07:34:15 router 548133: Aug 23 07:37:19 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.1(15000), 1 packet Aug 23 07:34:16 router 548134: Aug 23 07:37:20 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.100(15000), 1 packet Aug 23 07:34:17 router 548135: Aug 23 07:37:21 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.6.201(15000), 1 packet Aug 23 07:34:19 router 548136: Aug 23 07:37:23 MEST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 210.117.126.206(15000) -> xx.xx.7.128(15000), 1 packet Aug 23 07:34:19 router 548137: Aug 23 07:37:24 MEST: %SEC-6-IPACCESSLOGP: list 107 denied tcp 210.117.126.206(15000) -> xx.xx.7.227(15000), 1 packet Aug 23 07:37:12 router 548143: Aug 23 07:40:15 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.1(15000), 1 packet Aug 23 07:37:13 router 548144: Aug 23 07:40:17 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.95(15000), 1 packet
From http://www.thekoala.com/ports.htm i found that could be
- 15000 TCP Netdemon but i'm curious regarding: - two scan attempt was done ( 07:37:06 & 07:40:17 ) - why not every host was scanned but only some of them? Regards -naif ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- looking for what? portscan 15000/tcp Fabio Pietrosanti (naif) (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)
- Re: looking for what? portscan 15000/tcp Skip Carter (Aug 23)
- <Possible follow-ups>
- RE: looking for what? portscan 15000/tcp Cushing, David (Aug 23)
- Re: looking for what? portscan 15000/tcp Thomas Cannon (Aug 23)