Security Incidents mailing list archives

RE: scans on port 57

From: "Craig, Scott" <SCraig () kmart com>
Date: Wed, 13 Nov 2002 11:06:18 -0500

I'm seeing the same thing. I also noticed one of the Code Red probes came at
the same time as a port57 scan from the same address yesterday.

On 11/1, I reported seeing very large IIS vulnerability probes that also
coincided with a port 57 scan.
One reply I received was that it was probably someone using "FxScanner". See
the following URL for details:
http://cert.uni-stuttgart.de/archive/intrusions/2002/11/msg00015.html

-----Original Message-----
From: Ingersoll, Jared [mailto:jared () cswv com] 
Sent: Tuesday, November 12, 2002 8:01 AM
To: incidents () securityfocus com
Subject: scans on port 57

I'm seeing a lot of blocked scans on port 57 in my firewall 
logs, many times in conjunction with a port 80 or port 21 
scan. I was working under the assumption that these were 
related to a misconfigured port scanner, but I'm seeing them 
from a pretty diverse set of source addresses, so now I'm 
curious what they're looking for.

jared

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer 
service. For more information on this free incident handling, 
management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

scans on port 57 Ingersoll, Jared (Nov 13)
- Re: scans on port 57 John Jørgensen (Nov 13)
- <Possible follow-ups>
- RE: scans on port 57 Vince Hillier (Nov 13)
- RE: scans on port 57 Craig, Scott (Nov 13)