Re: looking for what? portscan 15000/tcp
From: Skip Carter (skip@taygeta.com)Date: 08/23/02
- Previous message: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- In reply to: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Fri, 23 Aug 2002 14:34:09 -0700 From: Skip Carter <skip@taygeta.com>
> More curious is that it specifies the source port as 15000 as well.
> Generally, I've only seen source ports specified for two reasons -- to get
> around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to
> look like DNS responses or when someone's hunting for a backdoor the uses
> the source port as part of the authentication mechanism.
I suspect that the fact that the source port and destination ports are both
the same reflects common origin of this exploit tool with that of other
probe tools (there is one that does this for ssh on 22 and ftp on 21).
Perhaps the original author was confused about the src/dest port designations
or was trying to fool an early firewall, and set the two to the same.
Then that code became the starting point for multiple probe tools ever since.
-- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip@taygeta.com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- In reply to: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
