Security Incidents mailing list archives

re: TCP 1025 scanning worm?

From: H C <keydet89 () yahoo com>
Date: Thu, 18 Jul 2002 11:36:35 -0700 (PDT)

The sources are all Windows boxes listening on TCP

port 1025.  

Not surprising at all.  MS has documentation that
states that the ports from 1025-1030 are used by RPC. 


Have you checked your own machine w/ fport?  I've got
ports open in that range on my system right now, but
they're all used by MS processes.

The ramp up in volume from widely separated source

IPs looks wormy.

How so?  The log extract you provided doesn't show any
data...it looks as if the initial SYN packet was
denied.  This could easily be a port scanner.


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
  - re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)