Security Incidents mailing list archives

Who is looking for port 2036?

From: Joakim Berge <joakim.berge () gmail com>
Date: Tue, 25 Oct 2005 13:24:37 +0200

I observe many scans for port 2036  and 80.
Why 80 shows up, i don't know. but port 2036 are being used by Novell's RConJ.
The scan seems to be from a large botnet, across the world.  They have
only targeted one ip, and it doesn't respond to those ports.

I cant find any info on this on the net.
Is it the tryout of a new worm? Anyone seen any of this activity?


Some info from NFR.


Time:               24-Oct-2005 13:33:01
NFR:                sensor
Source:             172.216.191.56
Source Port:        3382
Target:             xx.xx.xx.xx
Target Port:        2036
Proto:              tcp
Tag:
Tagvalue:           s

Time:               24-Oct-2005 13:27:47
NFR:                sensor
Source:             81.14.183.21
Source Port:        1282
Target:             xx.xx.xx.xx
Target Port:        2036
Proto:              tcp
Tag:
Tagvalue:           s

Time:               24-Oct-2005 13:21:31
NFR:                sensor
Source:             129.67.19.253
Source Port:        57118
Target:             xx.xx.xx.xx
Target Port:        2036
Proto:              tcp
Tag:
Tagvalue:           s


--
Joakim Berge
Tlf. +47 93489696
MSN. joakim.berge () gmail com

Current thread:

Who is looking for port 2036? Joakim Berge (Oct 25)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)
  - Re: Who is looking for port 2036? Joakim Berge (Oct 27)
    - Re: Who is looking for port 2036? mis (Oct 27)
    - Re: Who is looking for port 2036? Justin (Oct 28)