Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Ulrich Eckhardt <Ulrich.Eckhardt () TRANSCOM DE>
Date: Fri, 29 Dec 2000 09:10:17 +0100
Conor McGrath wrote:
We've been seeing lots of scans of ip's in our address space with the destination ports of 1024 and 3072. They are always paired like that, although they don't hit the same ip on both ports, as far as I can tell. The source ports are most often typical irc server ports (6667 and 6668) but sometimes they sourced from ports 80 and 7325. It's not IRC traffic, as IRC servers aren't supposed to be sending packets to 6400 different ip's in one class B range without having 6400 different clients connect first. Also, often it is only one packet being sent. Now, a number of the suspect machines are Dalnet servers, but there is also a Microsoft web server and a few other random hosts that are not, as far as I can tell, running any kind of irc service.
Hi, i can see here the same. Mostly this scanns seems to come from IRC servers. The dalnet servers also scanns other ports like 3072 and 1024 and always only with the RST flag (193.103.163. is our network and most of this hosts does not exists.): 06:27:22 TCP dalnet.away.net -> 193.103.163.11 6667 2075 RST 02:13:47 TCP dalnet.away.net -> 193.103.163.92 6667 20391 RST The same scan but with a different source port 00:02:26 TCP irc.east.gblx.net -> 193.103.163.114 40300 17122 RST 01:12:48 TCP ircd.west.gblx.net -> 193.103.163.24 40003 21849 RST 23:39:32 TCP irc.east.gblx.net -> 193.103.163.18 23500 16520 RST And here one wich seems to match your findings, but note also the TCP flags. 10:48:07 TCP irc2.erols.com -> 193.103.163.6 6667 1024 SYN ACK 10:48:07 TCP irc2.erols.com -> 193.103.163.6 6667 1024 ACK RST 10:49:16 TCP irc2.erols.com -> 193.103.163.90 6667 1024 SYN ACK 10:49:16 TCP irc2.erols.com -> 193.103.163.90 6667 1024 ACK RST 10:59:03 TCP irc2.erols.com -> 193.103.163.81 6667 3072 SYN ACK 10:59:03 TCP irc2.erols.com -> 193.103.163.81 6667 3072 ACK RST Uli -- Ulrich Eckhardt Tr@nscom http://www.uli-eckhardt.de http://www.transcom.de Lagerstraße 11-15 A8 64807 Dieburg Germany
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)