Security Incidents mailing list archives
Re: Odd scans of tcp port 12345
From: shadoze () FREEWWWEB COM (Shadow Boxer)
Date: Tue, 16 May 2000 05:24:16 -0400
Russell Fulton wrote:
Greetings, Over the last 24 hours I have detected 4 scans of tcp ports 12345 in our /16 address space. What is odd about these scans is that *all* started at address 11 and then the scan probed sequentially upwards until it got to 255 (except in one case where it stopped at 100). There is 5 seconds between connection attempts suggesting a loop trying standard tcp connects rather than a tool like nmap. The source addresses were all major ISPs one in UK, one in Korea and two in US -- all have been notified. There are several trojans that are known to have 12345 as a default remote control port but these scans don't seem (to me anyway) to be someone using nmap (or other standard tool) looking trojans. It seems more likely that this is a worm that is trying to spread through machines that have been compromised by some trojan. Why start at address 11? May be it is a typo for '1' in the script? Cheers, Russell.
Well, I think the prospect of a worm may be jumping to conclusions a bit quickly. A lot of trojans have built in scanners that could be causing this. Also, there are trojan scanners that scan for certain trojans on a set ip block. I believe some of these use standart tcp connections.
Current thread:
- Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- New or Variant Port 109 Scans Stephen P. Berry (May 15)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: IP Black list? Patrick van Zweden (May 15)
- TCP low port scan Jose Nazario (May 15)
- Re: IP Black list? Joe McAlerney (May 15)
- Re: IP Black list? Omachonu Ogali (May 15)
- Re: IP Black list? Emre (May 15)
- Re: IP Black list? Ex Machina (May 15)
- Re: IP Black list? Keith Owens (May 16)
- <Possible follow-ups>
- Re: Automated, Distributed Port Scan Ed Padin (May 09)
- Re: Automated, Distributed Port Scan Antonio Montes (May 10)