Re: scan on TCP/21536

[smarkacz <smarkacz () ANATHEMA EU ORG>]

JF Z <agagax () CARAMAIL COM> wrote:
> I'm currently seeing probes on TCP port 21536, does anybody know
> what this port could be used for ? I looked at some sites listing
> well-known ports, no info found ...

...and the source port is always 18245?
...and the destination IP is a webserver?
...and the source IP is Polish Telecom dialup???[1]

We have seen it for several months[2] in Poland, these packets are
generated by some brain damaged device (I don't know what this is);
they would be correct TCP packets if something did not strip TCP
header placing HTTP request right after the IP header. Look at the
numbers and you'll see that such damaged packet will be resolved to
`port 21536 probe' - "GET " resolves to ports 18245 -> 21536.

This device damages not only HTTP packets - I have seen in my
firewall's log packets with port numbers pair derived from "HELO",
"USER", "POST" and even "SSH-" (when I connected to public PT dialup
and opened an SSH session on my workstation).

[1] IP should resolve to *.ppp.tpnet.pl.
[2] Since Sep 7 2000.
--
*** smarkacz (smarkacz () anathema eu org)  --  Jacek P. Szymański
sorry poprawiam sie, Linux zostal opracowany przez Linusa Torvaldsa
poczatkowo na Minixa, potem przeniesiony na inne platformy,
                             -- Luke Skywalker na pl.comp.security