Re: Wierd portscans

["Justin Hinderliter" <justin () interaccess com>]

And, BTW, it looks like the previous message was bounced due to the text
attachment of the port numbers ASCII document.  SBT.

Justin

----- Original Message -----
From: "Justin Hinderliter" <justin () interaccess com>
To: "Justin Hinderliter" <justin () interaccess com>; "Elric"
<elric () dse-nets com>; "North America Network Operators Group Mailing List"
<nanog () merit edu>
Sent: Wednesday, January 31, 2001 7:44 PM
Subject: Re: Wierd portscans


> As an added note, there's no match for those UDP ports on l0pht, phrack,
> etc. either.
>
> Justin
>
> ----- Original Message -----
> From: "Justin Hinderliter" <justin () interaccess com>
> To: "Elric" <elric () dse-nets com>; "North America Network Operators Group
> Mailing List" <nanog () merit edu>
> Sent: Wednesday, January 31, 2001 7:21 PM
> Subject: Re: Wierd portscans
>
>
> > Here's a list of services and their known port numbers.
> >
> > However, it appears that they're scanning for ports in the "reserved" or
> > "unassigned" zones.  It could be that they're scanning those ports just
to
> > see if you're allowing scans or blocking them/dropping them to a null
> > route... before running a subsequent scan.  Other than that, I'm not
quite
> > sure what they're looking for, to be truthful.
> >
> > One thought that comes to mind in regards to the high-numbered ports is
> > whether they might think that that's a firewall running PAT/NAT, in
which
> > case, private IPs behind the firewall would end up showing up as
> > high-numbered ports on the firewall.  Is this on a gateway/firewall, and
> if
> > so, are you running NAT/PAT?
> >
> > Justin Hinderliter
> > Network Analyst
> > InterAccess Co. Data CLEC
> >
> > ----- Original Message -----
> > From: "Elric" <elric () dse-nets com>
> > To: "North America Network Operators Group Mailing List"
<nanog () merit edu>
> > Sent: Wednesday, January 31, 2001 5:12 PM
> > Subject: Wierd portscans
> >
> >
> > > I've been going though my scanlogs and in the past couple of days I
have
> > > seen someone trying to come in.  Thier not getting in but im noticing
> them
> > > hitting a number of ports over and over. Primarily attempting udp port
> 0,
> > > but also 35072, 41612, and 63240. I've done searches on Google,
> Dejanews,
> > > Bugtraq etc but can't seem to find out what these ports are.  Just
> > > wondering if anyone had come across them ever....
> > >
> > >
> > >  - Elric
>
> --------------------------------------------------------------------------
> > >  Network Administrator                          Dierking Scott
> Enterprises
> >
>
> --------------------------------------------------------------------------
> > >