Security Incidents mailing list archives

Re: two port scans

From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Thu, 31 Aug 2000 10:13:07 -0600

Haven't actually tried it out.  Has anyone here?

http://www.geektools.com/software.html

Someone suggested this site on one of the lists (too many to remember which
one).  I like their whois better than arin.net

http://www.geektools.com/cgi-bin/proxy.cgi

Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO USA
mforrester () hsacorp net - +1 303 256 2134

-----Original Message-----
From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU]
Sent: Wednesday, August 30, 2000 5:42 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: two port scans

Thanks for the feedback from the list...

I used the networksolutions whois... I'll dig around for
whois on win32
:-]

All my boxes were fine - the logs showed no traffic allowed
through the
firewall from those sites. I'm about to mail the neverending admin
contact.

Thanks again,
Rob

-----Original Message-----
From: martin j. muench [mailto:muench () GMC-ONLINE DE]
Sent: Thursday, 31 August 2000 7:41 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: two port scans

I've seen two port scans this week.
208.5.42.164 scanning port 137
202.30.115.58 scanning port 109

Both scanned my /25 net end to end

I couldn't get anything useful from whois.


208.5.42.164 = host3.neverending.com, looks like a small
insecure server, which is probably rooted and now used
for scanning. The other one is down.

Anyone else seen these boxen scanning


no, there are too many hosts scanning for several ports.

...know of recent toolkits or breakages they migh tbe scanning
for?

the second one which scans for port 109 tries to find some
servers running the pop2 daemon, which is vunerable. it is
default enabled on several older linux distributions like
for example redhat 5.2.
the first one scans for Netbios Name Service, which is also
vunerable afaik.

You should check your servers for running pop2-daemons and
disable or upgrade them!


Martin J. Muench <muench () gmc-online de>

Current thread:

two port scans Robert Collins (Aug 30)
- Re: two port scans martin j. muench (Aug 30)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Aug 31)
- Re: two port scans Ralf G. R. Bergs (Aug 31)
- <Possible follow-ups>
- Re: two port scans Robert Collins (Aug 31)
- Re: two port scans Forrester, Mike (Aug 31)