Security Incidents mailing list archives
Re: scan on TCP/21536
From: smarkacz <smarkacz () ANATHEMA EU ORG>
Date: Sat, 18 Nov 2000 16:35:03 +0100
JF Z <agagax () CARAMAIL COM> wrote:
I'm currently seeing probes on TCP port 21536, does anybody know what this port could be used for ? I looked at some sites listing well-known ports, no info found ...
...and the source port is always 18245? ...and the destination IP is a webserver? ...and the source IP is Polish Telecom dialup???[1] We have seen it for several months[2] in Poland, these packets are generated by some brain damaged device (I don't know what this is); they would be correct TCP packets if something did not strip TCP header placing HTTP request right after the IP header. Look at the numbers and you'll see that such damaged packet will be resolved to `port 21536 probe' - "GET " resolves to ports 18245 -> 21536. This device damages not only HTTP packets - I have seen in my firewall's log packets with port numbers pair derived from "HELO", "USER", "POST" and even "SSH-" (when I connected to public PT dialup and opened an SSH session on my workstation). [1] IP should resolve to *.ppp.tpnet.pl. [2] Since Sep 7 2000. -- *** smarkacz (smarkacz () anathema eu org) -- Jacek P. SzymaĆski sorry poprawiam sie, Linux zostal opracowany przez Linusa Torvaldsa poczatkowo na Minixa, potem przeniesiony na inne platformy, -- Luke Skywalker na pl.comp.security
Current thread:
- scan on TCP/21536 JF Z (Nov 18)
- Re: scan on TCP/21536 smarkacz (Nov 21)
- Re: scan on TCP/21536 Gary Maltzen (Nov 22)