Security Incidents mailing list archives

RE: Increase seen in port probes since Tuesday afternoon

From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 30 Dec 2004 14:44:51 -0500

BahdKo wrote Thursday, December 30, 2004 04:23

Since Tuesday afternoon EST I've seen a dramatic increase in 
the number of machines probing my network on ports 2745, 
1025, 3127, 6129, and usually 80. Each probe involves the 
machine sending three packets to each port.


Yes from time to time. The port pattern is typical of many botnets, many of
which will focus multiple drones against a particular IP space for a while. 

Packet captures might reveal whether there is anything new or interesting
about any of the individual probes. The three packets would probably be
standard Syn retries. Again a packet capture would show whether or not this
is the case. If a destination device is listening on any of those ports, a
packet capture might also give an indication about whether there is some new
payload.

Current thread:

Increase seen in port probes since Tuesday afternoon BahdKo (Dec 30)
- RE: Increase seen in port probes since Tuesday afternoon M. Shirk (Dec 30)
- RE: Increase seen in port probes since Tuesday afternoon James C Slora Jr (Dec 30)
  - RE: Increase seen in port probes since Tuesday afternoon Michael (Dec 30)
  - Re: Increase seen in port probes since Tuesday afternoon Jeff Kell (Dec 31)
- Re: Increase seen in port probes since Tuesday afternoon Martin Mačok (Dec 30)