Security Incidents mailing list archives
re: TCP 1025 scanning worm?
From: H C <keydet89 () yahoo com>
Date: Thu, 18 Jul 2002 11:36:35 -0700 (PDT)
The sources are all Windows boxes listening on TCP
port 1025. Not surprising at all. MS has documentation that states that the ports from 1025-1030 are used by RPC. Have you checked your own machine w/ fport? I've got ports open in that range on my system right now, but they're all used by MS processes.
The ramp up in volume from widely separated source
IPs looks wormy. How so? The log extract you provided doesn't show any data...it looks as if the initial SYN packet was denied. This could easily be a port scanner. __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
- re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)