Security Incidents mailing list archives
TCP scans
From: emperor () SQUONK NET (Roy Wilson)
Date: Thu, 17 Feb 2000 09:02:49 -0500
On Wed, 16 Feb 2000 07:19:12 -0800, Stephen Friedl wrote:
Hello all, For *two days*, an ADMROCKS-compromised machine in New Jersey has been doing a scan for TCP port 5 (what's this?), and the owner of the box refused to pull the plug while he fools with it. What's the best way to handle this?
I'm getting the same kind of idiocy from webtv.net: 02/15/00 22:42:26 Firewall blocked access (TCP Port 8626) from 209.240.200.22 (TCP Port 1650) 02/15/00 22:42:26 Firewall blocked access (TCP Port 8629) from 209.240.200.22 (TCP Port 1650) 02/15/00 22:46:02 Firewall blocked access (TCP Port 8626) from 209.240.200.22 (TCP Port 1650) Occurred 12 times between 22:46:18 and 22:47:14 (02/15/00) Firewall blocked access (TCP Port 8629) from 209.240.200.22 (TCP Port 1650) 02/15/00 22:49:02 Firewall blocked access (TCP Port 8624) from 209.240.200.22 (TCP Port 1650) They've been at it for weeks. Complaints to them got me this: If you are reporting an attack on your computer from one of our servers, and you have a dynamic IP address assigned to you, please talk to your ISP about getting a static IP address. WebTV servers send information to WebTV clients. If the client quietly goes away and your system comes online with the same IP address, your system will see our packets. This is very common with dynamic IP addresses and is not a security attack from our site. My ISP, myself, and everyone I've talked to agree that the above is just so much bovine feces. The question is *who* is actually compromised here, webtv.net or msn.com. My firewall is sending these requests to the bit bucket unacknowledged, anyone have anything cute I could bind to those high ports to annoy the scanner? I've already threatened them with the ultimate nuclear weapon, a lawyer. They really don't seem to give a damn. And they refuse to answer my question as to if it's on purpose, WHY are they port scanning THEIR clients? And why such odd high port numbers? Anyone know of anything evil out there that would install and bind to those ports on user-level machines? Roy Wilson <emperor () squonk net> <CM# 1663> PGP Key available from certserver.pgp.com or pgpkeys.mit.edu PGP Public Key Fingerprint: AD1E 4812 56DC 89DD 8C98 4919 5D90 82AF
Current thread:
- TCP scans Roy Wilson (Feb 17)