Security Incidents mailing list archives
TCP 1025 scanning worm?
From: "Richard Johnson" <rdump () river com>
Date: Wed, 17 Jul 2002 13:37:53 -0600
Starting at 11:38:12 UTC on July 17, we started seeing full-network port scans looking for TCP port 1025. The sources are all Windows boxes listening on TCP port 1025. The ramp up in volume from widely separated source IPs looks wormy. Is this a targeted attack against my nets, or are others seeing this scanning too? Richard ------- Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 ... Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 ... Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 38: deny: src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6 Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 13: deny: src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
- re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)