nanog mailing list archives
Re: Wierd portscans
From: "Justin Hinderliter" <justin () interaccess com>
Date: Wed, 31 Jan 2001 19:45:48 -0600
And, BTW, it looks like the previous message was bounced due to the text attachment of the port numbers ASCII document. SBT. Justin ----- Original Message ----- From: "Justin Hinderliter" <justin () interaccess com> To: "Justin Hinderliter" <justin () interaccess com>; "Elric" <elric () dse-nets com>; "North America Network Operators Group Mailing List" <nanog () merit edu> Sent: Wednesday, January 31, 2001 7:44 PM Subject: Re: Wierd portscans
As an added note, there's no match for those UDP ports on l0pht, phrack, etc. either. Justin ----- Original Message ----- From: "Justin Hinderliter" <justin () interaccess com> To: "Elric" <elric () dse-nets com>; "North America Network Operators Group Mailing List" <nanog () merit edu> Sent: Wednesday, January 31, 2001 7:21 PM Subject: Re: Wierd portscansHere's a list of services and their known port numbers. However, it appears that they're scanning for ports in the "reserved" or "unassigned" zones. It could be that they're scanning those ports just
to
see if you're allowing scans or blocking them/dropping them to a null route... before running a subsequent scan. Other than that, I'm not
quite
sure what they're looking for, to be truthful. One thought that comes to mind in regards to the high-numbered ports is whether they might think that that's a firewall running PAT/NAT, in
which
case, private IPs behind the firewall would end up showing up as high-numbered ports on the firewall. Is this on a gateway/firewall, andifso, are you running NAT/PAT? Justin Hinderliter Network Analyst InterAccess Co. Data CLEC ----- Original Message ----- From: "Elric" <elric () dse-nets com> To: "North America Network Operators Group Mailing List"
<nanog () merit edu>
Sent: Wednesday, January 31, 2001 5:12 PM Subject: Wierd portscansI've been going though my scanlogs and in the past couple of days I
have
seen someone trying to come in. Thier not getting in but im noticingthemhitting a number of ports over and over. Primarily attempting udp port0,but also 35072, 41612, and 63240. I've done searches on Google,Dejanews,Bugtraq etc but can't seem to find out what these ports are. Just wondering if anyone had come across them ever.... - Elric--------------------------------------------------------------------------Network Administrator Dierking ScottEnterprises--------------------------------------------------------------------------
Current thread:
- Wierd portscans Elric (Feb 24)
- Re: Wierd portscans Avleen Vig (Feb 24)
- <Possible follow-ups>
- Re: Wierd portscans Justin Hinderliter (Feb 24)
- Re: Wierd portscans Justin Hinderliter (Feb 24)