Re: ICMP port 2048 scans

From: Ryan McConky (rmcconky_at_webmd.net)
Date: 08/22/03

  • Next message: Mahoney, Paul: "RE: [Incidents] Sobig.F style email with no attachments" 
    Date: 22 Aug 2003 21:50:53 -0000
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <Law15-F50f3sllNY30k0001b928@hotmail.com>

    We are seeing the same thing on our routers. What is troubling me is that
    it is incrementing the dest ip by one each second. Like it is scanning.
    It is scanning internal and external networks. Most traced to Asian
    countries. Anyone else seeing this?

    >Received: (qmail 16964 invoked from network); 20 Aug 2003 03:58:07 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 20 Aug 2003 03:58:07 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com
    [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id 86B45A406D; Tue, 19 Aug 2003 21:58:28 -0600 (MDT)
    >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <incidents.list-id.securityfocus.com>
    >List-Post: <mailto:incidents@securityfocus.com>
    >List-Help: <mailto:incidents-help@securityfocus.com>
    >List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
    >Delivered-To: mailing list incidents@securityfocus.com
    >Delivered-To: moderator for incidents@securityfocus.com
    >Received: (qmail 30349 invoked from network); 19 Aug 2003 20:12:52 -0000
    >X-Originating-IP: [203.220.152.185]
    >X-Originating-Email: [morgs808@hotmail.com]
    >From: "morgs ." <morgs808@hotmail.com>
    >To: incidents@securityfocus.com
    >Subject: ICMP port 2048 scans
    >Date: Wed, 20 Aug 2003 12:17:12 +1000
    >Mime-Version: 1.0
    >Content-Type: text/plain; format=flowed
    >Message-ID: <Law15-F50f3sllNY30k0001b928@hotmail.com>
    >X-OriginalArrivalTime: 20 Aug 2003 02:17:13.0787 (UTC) FILETIME=
    [2B4FB0B0:01C366C1]
    >
    >Is it just me or is anyone else getting nailed every 1 minite from
    various
    >sources asking for a connection to port 2048. There seems to be various
    >services that use this port including things like router configuration
    and
    >ssh in some cases. Some new worm or virus maybe?
    >
    >_________________________________________________________________
    >Hot chart ringtones and polyphonics. Go to
    >http://ninemsn.com.au/mobilemania/default.asp
    >
    >
    >------------------------------------------------------------------------- 

    --
>Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance 
Policies
>**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>Visit us at: 
>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>-------------------------------------------------------------------------
---
>
>
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
  • Next message: Mahoney, Paul: "RE: [Incidents] Sobig.F style email with no attachments"

    Relevant Pages

    • From new-scr
      ... social, biological and computer networks. ... is among those who dismiss the idea that scale-free theory ... having a certain number of connections ... The major data routers will typically have ...
      (soc.culture.romanian)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... held no responsibility here, ...
      (Full-Disclosure)
    • Re: Cannot Remote Desktop (or ping) between 2 SBS sites
      ... First step is to change the listening port on all WS you wish to RDP to. ... Next in ISA Server Management Expand Access Policy and under Protocols ... >>> SBS2K3 site to VPN into the SBS2K site, ... >>> are different between networks ofcourse) - still cannot ...
      (microsoft.public.windows.server.sbs)
    • Re: [SLE] Is a VPN the right thing to use here?
      ... > Due to current circumstances, I have two separate networks, L and R, on ... For this a VPN is the best solution, IMO, and some might go so far as to ... including the two routers, as if they were working under "normal" ... The temporary router has two functions. ...
      (SuSE)
    • Re: Network from home to office, etc.
      ... I have an 8 port router at the office ... This entails finding out if those routers have static or dynamic IPs. ... I suggest port 3389 for remote desktop to be your easiest solution. ... (Of course, that assumes Windows XP Professional, Windows 2000 Server ...
      (microsoft.public.windowsxp.work_remotely)