RE: Increase in scans on TCP port 1 (tcpmux)?

From: Kevin Patz (jambo_cat_at_yahoo.com)
Date: 08/24/03

  • Next message: Jeff Peterson: "RE: Software vendor clueless" 
    Date: Sun, 24 Aug 2003 11:27:10 -0700 (PDT)
To: Joel Esler <eslerj@knology.net>

    It looks like the scans are continuing, on ever
    decreasing IP ranges. When I look at my logs from
    Friday afternoon - Sunday afternoon, I see scans from
    24.50.*, 24.49.*, 24.35.*, 24.34.*. As these IP
    ranges span multiple ISPs, I'm still thinking it's
    either spoofed source IPs or a script kiddie hunting
    down infected boxes with decreasing IPs and initiating
    scans from them.

    I'm still wondering why someone would scan TCP port 1.
     Maybe they're just probing for active IPs?

      KJP

    --- Joel Esler <eslerj@knology.net> wrote:
    > I have been seeing the same thing across different
    > areas. A lot of port 1
    > scanning. Don't know what it could be though.
    >
    > J

    =====
    There are no stupid questions, only stupid people asking them.

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Jeff Peterson: "RE: Software vendor clueless"

    Relevant Pages