re: TCP 1025 scanning worm?

From: Richard Johnson (rdump@river.com)
Date: 07/18/02


Date: Thu, 18 Jul 2002 14:07:39 -0600
To: incidents@securityfocus.com
From: "Richard Johnson" <rdump@river.com>

At 11:36 -0700 on 18/07/2002, H C wrote:
> Have you checked your own machine w/ fport? I've got
> ports open in that range on my system right now, but
> they're all used by MS processes.

Don't have any windows boxes. ;-)

>> The ramp up in volume from widely separated source
> IPs looks wormy.
>
> How so? The log extract you provided doesn't show any
> data...it looks as if the initial SYN packet was
> denied. This could easily be a port scanner.

Yes, it was clearly a port scan. The ramp up among divergent source IPs I
saw while I was sitting on 206./16 and later 204./16 networks looked like a
spreading infection.

I've seen little corroboration, though, so I'm concluding whatever was
going on was targeted at a few networks, or had a very poor RNG for seeding
the scan list. It never made it down to 138./16 or 128./16, as far as I
can tell.

Richard

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... held no responsibility here, ...
    (Full-Disclosure)
  • Re: Cannot Remote Desktop (or ping) between 2 SBS sites
    ... First step is to change the listening port on all WS you wish to RDP to. ... Next in ISA Server Management Expand Access Policy and under Protocols ... >>> SBS2K3 site to VPN into the SBS2K site, ... >>> are different between networks ofcourse) - still cannot ...
    (microsoft.public.windows.server.sbs)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... it's prolly as late/current as the dealing with port 1433. ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... That it is cheaper for negligent ... > held no responsibility here, ...
    (Full-Disclosure)
  • Re: Cannot Remote Desktop (or ping) between 2 SBS sites
    ... Change the Port!!! ... SBS2K3 site to VPN into the SBS2K site, ... Desktop Connect to a workstation at that site. ... are different between networks ofcourse) - still cannot ...
    (microsoft.public.windows.server.sbs)
  • Re: DoS attack... what to do?
    ... One of the most powerful devices we've seen working for port 80 (or any ... Networks ServerIron 450. ... Check with your ISP if they offer DoS/DDoS mitigation equipment. ... An excellent source for DoS/DDoS attacks is: ...
    (Incidents)