[Unusual Network_scan[tcp-6267]]

From: Russell Fulton (R.FULTON@auckland.ac.nz)
Date: 01/31/02


From: Russell Fulton <R.FULTON@auckland.ac.nz>
To: incidents@securityfocus.com
Date: 01 Feb 2002 10:30:17 +1300

Anyone have any idea what this might be looking for? I ususally assume
that scans on odd port numbers are just looking for hosts compromised in
previous sweeps but 6267 is a bit too close to 6112 and I want to be
sure that it isn't another rpc service I don't know about. I have
searched the snort port database and google but found nothing relevant.

Cheers, Russell.

-----Forwarded Message-----

From: argus@auckland.ac.nz
To: irt@auckland.ac.nz
Subject: [202.198.178.103] - Network_scan[tcp-6267]
Date: 31 Jan 2002 19:57:03 +1300

The data for around this time can be found in
~argus/data/2002.01.31/argus-2002.01.31.19.00.gz

We saw [202.198.178.103] talk to 48 ports/addresses(s)
on Thu 31 Jan 2002 at 07:56 (UTC)

-- Thu 31 Jan 2002 at 19:56 (NZDT)

Connection rate approx 20 per second

202.37.88.1-37.tcp - 6267 202.37.88.42-51.tcp - 6267
202.37.88.40.tcp - 6267

Some sample packet traces were: Times UTC +1300 GPS synchronized
2002-01-31-19:56:47 tcp 202.198.178.103:4151 -> 202.37.88.28:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4152 -> 202.37.88.29:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4153 -> 202.37.88.30:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4154 -> 202.37.88.31:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4155 -> 202.37.88.32:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4156 -> 202.37.88.33:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4157 -> 202.37.88.34:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4158 -> 202.37.88.35:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4159 -> 202.37.88.36:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4160 -> 202.37.88.37:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4163 -> 202.37.88.40:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4165 -> 202.37.88.42:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4166 -> 202.37.88.43:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4167 -> 202.37.88.44:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4168 -> 202.37.88.45:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4169 -> 202.37.88.46:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4170 -> 202.37.88.47:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4171 -> 202.37.88.48:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4172 -> 202.37.88.49:6267 S_
2002-01-31-19:56:47 tcp 202.198.178.103:4173 -> 202.37.88.50:6267 S_

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com