Re: ICMP port 2048 scans

From: Marcel Thraenhardt (mt_at_mdlink.de)
Date: 08/22/03

  • Next message: Greg Owen: "Can anyone identify this possible backdoor?" 
    Date: 22 Aug 2003 12:21:57 -0000
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <Law15-F50f3sllNY30k0001b928@hotmail.com>

    Hello morgs,
    >Is it just me or is anyone else getting nailed every 1
    minite from various
    >sources asking for a connection to port 2048. There
    seems to be various
    >services that use this port including things like
    router configuration and
    >ssh in some cases. Some new worm or virus maybe?
    >

    Every minute would be nice, there are a few million
    connections a day in our /19 net currently and the
    number is radidply rising (since 2003-08-19).

    Am I right you get this Information from a Cisco
    router or a non-Linux firewall? I also wondered what
    port 2048/icmp wolud mean. The ICMP Protocol doesn't
    implement ports, but the headers are similar to TCP
    and UDP. ICMP uses specific Types and codes instead of
    ports. If you code "2048" to HEX, you get 0x8000, this
    means ICMP type 8, code 0, in words "echo request" aka
    "ping".

    It took me some time to figure out these connections
    are ordinary pings.

    Anyway, they cause heavy load to our Netflow-based
    Accounting.

    Does anybody have the same problems or even knows where
    the scans come from?

    Marcel

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Greg Owen: "Can anyone identify this possible backdoor?"

    Relevant Pages

    • Re: Need help with bandwidth management . . .
      ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
      (alt.internet.wireless)
    • Re: Iptables FTP question
      ... for secondary connections. ... Some ftp servers don't allow passive mode because it is less safe from ... algs that allow port mode for client machines. ...
      (comp.security.firewalls)
    • Re: Port watching tool
      ... Active Ports only shows one connection to port 25 (which I am trying to ... I am finding certain IPs to be ... generating large numbers of SMTP connections to the server, ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • Re: Need Help on setting up a small home site.
      ... > told me that I have to open that port and forward request to my ... computer is the first network device. ... connections to port 80, so that they can be routed through to something ... > So if U don't consider it rude to post a long config file here, ...
      (comp.infosystems.www.servers.unix)
    • Re: Looking for program that emails me when dhcp addr changes
      ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
      (comp.security.ssh)