RE: looking for what? portscan 15000/tcp
From: Cushing, David (david.cushing@quadrasis.com)Date: 08/23/02
- Previous message: Jonathan Rickman: "Re: Unicode worm?"
- Maybe in reply to: Fabio Pietrosanti (naif): "looking for what? portscan 15000/tcp"
- Next in thread: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Aug 2002 13:46:40 -0400 From: "Cushing, David" <david.cushing@quadrasis.com> To: "Fabio Pietrosanti (naif)" <naif@blackhats.it>, <incidents@securityfocus.com>
> Aug 23 07:34:02 router 548124: Aug 23 07:37:06 MEST:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 210.117.126.206(15000) -> xx.xx.1.1(15000), 1 packet
Port 15000 is used as a default for Borland/Visibroker's Gatekeeper product. It allows CORBA applications to multiplex through a single firewall port.
Since your curious visitor used port 15000 as a source and a destination, it looks as though they might have been trying to bypass restrictions by using a port that might be let through. 80 would be a better choice, though. Who runs Gatekeeper, anyway? <g>
On your question about hosts scanned: Can you see any relation between the numbers scanned and your actual network? i.e. did they have some pre-knowledge of what to poke for?
-David
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jonathan Rickman: "Re: Unicode worm?"
- Maybe in reply to: Fabio Pietrosanti (naif): "looking for what? portscan 15000/tcp"
- Next in thread: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
