re: TCP 1025 scanning worm?
From: H C (keydet89@yahoo.com)Date: 07/18/02
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- Maybe in reply to: Richard Johnson: "TCP 1025 scanning worm?"
- Next in thread: Richard Johnson: "re: TCP 1025 scanning worm?"
- Reply: Richard Johnson: "re: TCP 1025 scanning worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Jul 2002 11:36:35 -0700 (PDT) From: H C <keydet89@yahoo.com> To: incidents@securityfocus.com
> The sources are all Windows boxes listening on TCP
port 1025.
Not surprising at all. MS has documentation that
states that the ports from 1025-1030 are used by RPC.
Have you checked your own machine w/ fport? I've got
ports open in that range on my system right now, but
they're all used by MS processes.
> The ramp up in volume from widely separated source
IPs looks wormy.
How so? The log extract you provided doesn't show any
data...it looks as if the initial SYN packet was
denied. This could easily be a port scanner.
__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- Maybe in reply to: Richard Johnson: "TCP 1025 scanning worm?"
- Next in thread: Richard Johnson: "re: TCP 1025 scanning worm?"
- Reply: Richard Johnson: "re: TCP 1025 scanning worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
