port 5248

• Previous message: Justin Pryzby: "Re: strange logs -- tcp port 16166"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: 26 Jun 2003 23:50:33 -0400

For about the last 2 weeks I've been getting attempted connections to
tcp/5248 on one of my machines. So far I count 19 different sources
from varying blocks dating back to June 19. This hasn't shown up in
other firewall logs on our network, so it doesn't appear to be a scan.

Window sizes are all either 1400 or 1024. Source ports are all either
13568 or 80. TTLs vary from 43 to 55. This server only does DNS.

I have some full packet captures available if anyone is interested.

Thanks,
Brian Collins
Sys Admin
Newnan Utilities

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Justin Pryzby: "Re: strange logs -- tcp port 16166"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]