Security Incidents mailing list archives
Re: Port 109 scanning
From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Mon, 6 Nov 2000 11:42:04 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 6 Nov 2000, A.L.Lambert wrote:
I'm curious if anyone else has been getting port 109 SYN/FIN scan's lately? (src 109 -> dst 109). I've gotten them from two separate sources, several days apart (looks like a sequential scan of multiple class A networks), and I thought it was a bit odd, since last time I heard, POP2 was a virtually abandoned protocol (at least I've never seen it in use, and I've been mucking around on the net for a long time now), and in this day and age, a SYN/FIN scan is almost certain to set off IDS's.
I haven't seen any scans, but I know there are some agencies that unwittingly do have POP2 enabled. As recent as 1996, Sun Microsystems was shipping Netra i systems (Solaris 2.4) with POP2 enabled. Unfortunately, those "easy-to-use" systems often fell into the hands of people who just plugged 'em in, turned 'em on, and dropped them on the 'net. Offhand, I'd guess that there are at least a half-dozen Netra i's still running (and probably with their default installs) where I used to work full time. - -Jay ( ______ )) .--- "There's always time for a good cup of coffee" ---. >===<--. C|~~| (>-------- Jay D. Dyson -- jdyson () treachery net --------<) | = |-' `--' `----------- My other car is a Sparc Ultra. -----------' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOgcJkNCClfiU/BIVAQGnUQP/bf5ZnDu5XfbDc9pm4fKnRIAq+m3twJbN dfi5LbQvdQl/ff2BPK9rRWLgNN+rBM2XinTVSlKQTFAQpd585Rye9uAuuIrX2ME2 GsMkx6IuqE9s/s7bvtZ+Ab12u1x4QAV1oGTG28k16U79DAICtAAhHyWL1/z//ajW JUIl50FcOwk= =MpMM -----END PGP SIGNATURE-----
Current thread:
- Port 109 scanning A.L.Lambert (Nov 07)
- Re: Port 109 scanning Jay D. Dyson (Nov 08)
- Re: Port 109 scanning Jander Sunstar (Nov 08)
- <Possible follow-ups>
- Re: Port 109 scanning azimuth (Nov 08)
- Re: Port 109 scanning Fernando Cardoso (Nov 08)
- Re: Port 109 scanning Andy Duncan (Nov 08)