Security Incidents mailing list archives
Re: two port scans
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Thu, 31 Aug 2000 10:13:07 -0600
Haven't actually tried it out. Has anyone here? http://www.geektools.com/software.html Someone suggested this site on one of the lists (too many to remember which one). I like their whois better than arin.net http://www.geektools.com/cgi-bin/proxy.cgi Mike Forrester - Systems Security Engineer High Speed Access Corp. - Denver, CO USA mforrester () hsacorp net - +1 303 256 2134
-----Original Message----- From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU] Sent: Wednesday, August 30, 2000 5:42 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: two port scans Thanks for the feedback from the list... I used the networksolutions whois... I'll dig around for whois on win32 :-] All my boxes were fine - the logs showed no traffic allowed through the firewall from those sites. I'm about to mail the neverending admin contact. Thanks again, Rob-----Original Message----- From: martin j. muench [mailto:muench () GMC-ONLINE DE] Sent: Thursday, 31 August 2000 7:41 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: two port scansI've seen two port scans this week. 208.5.42.164 scanning port 137 202.30.115.58 scanning port 109 Both scanned my /25 net end to end I couldn't get anything useful from whois.208.5.42.164 = host3.neverending.com, looks like a small insecure server, which is probably rooted and now used for scanning. The other one is down.Anyone else seen these boxen scanningno, there are too many hosts scanning for several ports....know of recent toolkits or breakages they migh tbe scanning for?the second one which scans for port 109 tries to find some servers running the pop2 daemon, which is vunerable. it is default enabled on several older linux distributions like for example redhat 5.2. the first one scans for Netbios Name Service, which is also vunerable afaik. You should check your servers for running pop2-daemons and disable or upgrade them! Martin J. Muench <muench () gmc-online de>
Current thread:
- two port scans Robert Collins (Aug 30)
- Re: two port scans martin j. muench (Aug 30)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Aug 31)
- Re: two port scans Ralf G. R. Bergs (Aug 31)
- <Possible follow-ups>
- Re: two port scans Robert Collins (Aug 31)
- Re: two port scans Forrester, Mike (Aug 31)