Security Incidents mailing list archives
Re: two port scans
From: "martin j. muench" <muench () GMC-ONLINE DE>
Date: Wed, 30 Aug 2000 22:40:37 +0200
I've seen two port scans this week. 208.5.42.164 scanning port 137 202.30.115.58 scanning port 109 Both scanned my /25 net end to end I couldn't get anything useful from whois.
208.5.42.164 = host3.neverending.com, looks like a small insecure server, which is probably rooted and now used for scanning. The other one is down.
Anyone else seen these boxen scanning
no, there are too many hosts scanning for several ports.
...know of recent toolkits or breakages they migh tbe scanning for?
the second one which scans for port 109 tries to find some servers running the pop2 daemon, which is vunerable. it is default enabled on several older linux distributions like for example redhat 5.2. the first one scans for Netbios Name Service, which is also vunerable afaik. You should check your servers for running pop2-daemons and disable or upgrade them! Martin J. Muench <muench () gmc-online de>
Current thread:
- two port scans Robert Collins (Aug 30)
- Re: two port scans martin j. muench (Aug 30)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Aug 31)
- Re: two port scans Ralf G. R. Bergs (Aug 31)
- <Possible follow-ups>
- Re: two port scans Robert Collins (Aug 31)
- Re: two port scans Forrester, Mike (Aug 31)