Security Incidents mailing list archives
Re: Synscan on port 2223
From: Daniel Martin <dtmartin24 () home com>
Date: 26 Jun 2001 17:42:42 -0400
"Fernando Cardoso" <fernando.cardoso () whatevernet com> writes:
I've just noticed in my logs a scan from someone in Colombia to port 2223. It was clearly made with synscan (source port=destination port, ID=39426 and Window=404). What makes me think is the purpose of it. What (s)he's looking for? According to my port database it could be:
I saw this too. Whatever they were looking for, if you sent a syn packet back to them on port 2223 (e.g. by doing "telnet xxx.xxx.xxx.xxx 2223"), then they would respond with a regular TCP connection to the port, and wait for something. I don't know what they were waiting for, since any data I sent just resulted in the other side closing the connection. So it's definitely synscan-like behavior, but I don't know what exploit has been attached to that port. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SYN FIN Scan with src port == dst port Nicolas Gregoire (Jun 19)
- RE: SYN FIN Scan with src port == dst port Fernando Cardoso (Jun 20)
- Synscan on port 2223 Fernando Cardoso (Jun 26)
- Re: Synscan on port 2223 Daniel Martin (Jun 27)
- Synscan on port 2223 Fernando Cardoso (Jun 26)
- RE: SYN FIN Scan with src port == dst port Fernando Cardoso (Jun 20)