Scan of TCP 552-554

• Previous message: Stuart: "RE: Port 0 packets"
• Next in thread: Frank Knobbe: "Re: Scan of TCP 552-554"
• Reply: Frank Knobbe: "Re: Scan of TCP 552-554"
• Maybe reply: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
• Maybe reply: Justin Pryzby: "Re: Scan of TCP 552-554"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Jul 2003 00:08:21 -0700
To: Incidents <incidents@securityfocus.com>

Hi all,

A scan of TCP 552-554 just passed through my class C network. The scanner
expressed some interest in one host listening on TCP 554 and so is pretty
clearly looking for RTSP servers. As it happens, the responding server is a
honeypot running Windows 2003. The scanner didn't seem to send an attack;
apparently, it was merely a probe.

What might it be looking for on TCP 552-553 and, more particularly, why
might a scanner interested in RTSP also scan those ports? The ports are
registered for use by deviceshare and PIRP (Public Information Retrieval
Protocol). But, I don't suspect that the scanner is interested in those
services, since they don't seem to be associated with RTSP. Could the
scanner simply be comparing the response for port 554 with those for the
other ports, in order to assess possible firewall rules?

Thanks for your thoughts!

---------------------------------------------------
Bill McCarty

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Stuart: "RE: Port 0 packets"
• Next in thread: Frank Knobbe: "Re: Scan of TCP 552-554"
• Reply: Frank Knobbe: "Re: Scan of TCP 552-554"
• Maybe reply: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
• Maybe reply: Justin Pryzby: "Re: Scan of TCP 552-554"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]