Re: Who is looking for port 2036?

[Joakim Berge <joakim.berge () gmail com>]

On 10/26/05, Tillmann Werner <tillmann.werner () gmx de> wrote:
> Joakim,
>
> > The scan seems to be from a large botnet, across the world.
>
> What makes you believe the attack's origin is a botnet?
I belive it is a botnet becouse the source addresses are couple of
hundred different ones (i think....havent counted). I dont see any
pattern, and they are spread across the planet.



> > They have only targeted one ip, and it doesn't respond to those ports.
>
> Your samples only showed port 2036/tcp on a very low frequency. Is this
> representative for a longer period? What is the percentage of port 80/tcp
> packets?

This has been going on for a month, and the frequency is about 200 per
day for 2036 and 50 per day for 80. NFR also reports combined scan for
"2036 80".


> > Is it the tryout of a new worm?
>
> Unlikely, if it only targets a single ip address which does not respond. Http
> might be used as destination port for such packets are likely to go through
> firewalls.
>
> If you are interested in furhter investigation, you could run netcat on the
> attacked host to see if connection establishment goes on and if there arrives
> any data.
>
> Tillmann


--
Joakim Berge
Tlf. +47 93489696
MSN. joakim.berge () gmail com