Security Incidents mailing list archives

TCP 1025 scanning worm?

From: "Richard Johnson" <rdump () river com>
Date: Wed, 17 Jul 2002 13:37:53 -0600

Starting at 11:38:12 UTC on July 17, we started seeing full-network port
scans looking for TCP port 1025.

The sources are all Windows boxes listening on TCP port 1025.  The ramp up
in volume from widely separated source IPs looks wormy.

Is this a targeted attack against my nets, or are others seeing this
scanning too?


Richard

-------

Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 13: deny:
src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6
Jul 17 05:38:12 gateway IP FILTER: `wi` rule# 38: deny:
src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6
...
Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 38: deny:
src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6
Jul 17 05:38:15 gateway IP FILTER: `wi` rule# 13: deny:
src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6
...
Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 38: deny:
src=131.128.196.245(1822) dst=A.B.C.Y(1025) proto=6
Jul 17 05:38:21 gateway IP FILTER: `wi` rule# 13: deny:
src=131.128.196.245(1810) dst=A.B.C.0(1025) proto=6

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
  - re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)