Security Incidents mailing list archives

Re: NTP scan ????

From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 28 Feb 2002 09:16:55 +1300

On Wed, 2002-02-27 at 14:52, Will Aoki wrote:

On Wed, Feb 27, 2002 at 10:43:19AM +1300, Russell Fulton wrote:

(213.237.6.5) at 22:13 GMT-7 on the 20th, but I figured that it must
be something other than NTP, since AFAIK NTP only runs over UDP.


Possibly but tcp-123 is reserved for NTP...  Another thought that
occurred to me was that it was a typo and they meant to scan for
1234 or 12345, both popular trojan ports, This seems unlikely since
it would appear that this wasn't a single scan.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NTP scan ???? Russell Fulton (Feb 26)
- Re: NTP scan ???? Paul Gear (Feb 27)
- Re: NTP scan ???? Will Aoki (Feb 27)
  - Re: NTP scan ???? Russell Fulton (Feb 27)
    - Re: NTP scan ???? Paul Gear (Feb 28)
- Re: NTP scan ???? John Kristoff (Feb 28)