Security Incidents mailing list archives

lots of port 0 scannings

From: "SB CH" <chulmin2 () hotmail com>
Date: Mon, 28 Apr 2003 00:51:58 +0000

Hello, all.

I found lots of port 0 traffic from various conuntry these days like this.


[**] [1:524:5] BAD TRAFFIC tcp port 0 traffic [**]

[Classification: Misc activity] [Priority: 3]04/27-05:55:01.306781 65.57.56.46:0 -> 211.1.x.x:6588

TCP TTL:112 TOS:0x0 ID:464 IpLen:20 DgmLen:40 DF
******S* Seq: 0x95AF4  Ack: 0x0  Win: 0x200  TcpLen: 20

is there any special way or tool to use port 0 in order to scan?


and what's the meaning about this scan?

[**] [116:55:1] (snort_decoder): Truncated Tcp Options [**]
04/26-23:51:08.004547 211.230.86.34:0 -> 211.1.x.x:0
TCP TTL:120 TOS:0x0 ID:38672 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD563D9DB  Ack: 0x0  Win: 0x4000  TcpLen: 28

the source port and dest port is 0 alike.



Thanks in advance.



_________________________________________________________________

고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브http://www.msn.co.kr/love/


----------------------------------------------------------------------------

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, theworld's premier event for IT and network security experts. The two-dayTraining features 6 hand-on courses on May 12-13 taught by professionals.The two-day Briefings on May 14-15 features 24 top speakers with no vendorsales pitches. Deadline for the best rates is April 25. Register today toensure your place. http://www.securityfocus.com/BlackHat-incidents----------------------------------------------------------------------------

Current thread:

lots of port 0 scannings SB CH (Apr 28)
- Re: lots of port 0 scannings Brad Doctor (Apr 29)
- <Possible follow-ups>
- Re: lots of port 0 scannings Neil Dickey (Apr 29)