Security Incidents mailing list archives
odd scan
From: Kevin Holmquist <kevinh () NETRONIN ORG>
Date: Sun, 4 Feb 2001 11:19:28 -0700
Folks, I detected a scan of one of my systems. Looks like a typical, automated scan, but I was curious about some of the ports it hit: Feb 4 03:20:37 64.218.84.240:3373 -> ***.***.***.145:21 SYN ******S* Feb 4 03:20:37 64.218.84.240:3374 -> ***.***.***.145:23 SYN ******S* Feb 4 03:20:37 64.218.84.240:3375 -> ***.***.***.145:25 SYN ******S* Feb 4 03:20:37 64.218.84.240:3376 -> ***.***.***.145:79 SYN ******S* Feb 4 03:20:37 64.218.84.240:3377 -> ***.***.***.145:80 SYN ******S* Feb 4 03:20:37 64.218.84.240:3378 -> ***.***.***.145:81 SYN ******S* Feb 4 03:20:37 64.218.84.240:3379 -> ***.***.***.145:110 SYN ******S* Feb 4 03:20:37 64.218.84.240:3380 -> ***.***.***.145:113 SYN ******S* Feb 4 03:20:37 64.218.84.240:3381 -> ***.***.***.145:139 SYN ******S* Feb 4 03:20:37 64.218.84.240:3382 -> ***.***.***.145:143 SYN ******S* Feb 4 03:20:37 64.218.84.240:3383 -> ***.***.***.145:443 SYN ******S* Feb 4 03:20:38 64.218.84.240:3384 -> ***.***.***.145:8008 SYN ******S* Feb 4 03:20:39 64.218.84.240:3385 -> ***.***.***.145:8080 SYN ******S* Any ideas why they would check ports 23, 79, 81? I know 23 is telnet and 79 is finger, but I haven't seen exploits for those lately (other than telnet being insecure). Also, why port 81? Any new exploits for these ports? I've seen reports of scans for 23 and 81 on sans.org, but noone seemed to know anything about them. BTW, this is from snort, using snort.org's full ruleset dated 1/25/2001. snort didn't recognize the scanner used... Thanks! Kevin
Current thread:
- odd scan Kevin Holmquist (Feb 04)
- Re: odd scan Jose Nazario (Feb 04)
- Re: odd scan Daniel R. Warner (Feb 04)