re: TCP 1025 scanning worm?

From: Richard Johnson (
Date: 07/18/02

Date: Thu, 18 Jul 2002 14:07:39 -0600
From: "Richard Johnson" <>

At 11:36 -0700 on 18/07/2002, H C wrote:
> Have you checked your own machine w/ fport? I've got
> ports open in that range on my system right now, but
> they're all used by MS processes.

Don't have any windows boxes. ;-)

>> The ramp up in volume from widely separated source
> IPs looks wormy.
> How so? The log extract you provided doesn't show any
> looks as if the initial SYN packet was
> denied. This could easily be a port scanner.

Yes, it was clearly a port scan. The ramp up among divergent source IPs I
saw while I was sitting on 206./16 and later 204./16 networks looked like a
spreading infection.

I've seen little corroboration, though, so I'm concluding whatever was
going on was targeted at a few networks, or had a very poor RNG for seeding
the scan list. It never made it down to 138./16 or 128./16, as far as I
can tell.


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: