RE: Scanned on 16 TCP ports, anyone seen this before?

From: Lawrence Baldwin (baldwinL_at_mynetwatchman.com)
Date: 02/02/04

  • Next message: terry white: "Re: Type od DDoS in MyDoom????" 
    To: "Kevin Patz" <jambo_cat@yahoo.com>, <incidents@securityfocus.com>
Date: Mon, 2 Feb 2004 16:25:10 -0500

    Yeah, very odd in deed...definitely pretty prolific...have had > 20 mNW
    users report this IP, over 20,000 events total...looks like he's hitting the
    same port (sets) here too....a high percentage have a *src* port of 18765

    http://www.mynetwatchman.com/LID.asp?IID=72800353

    Lawrence Baldwin
    myNetWatchman.com

    -----Original Message-----
    From: Kevin Patz [mailto:jambo_cat@yahoo.com]
    Sent: Monday, February 02, 2004 14:21
    To: incidents@securityfocus.com
    Subject: Scanned on 16 TCP ports, anyone seen this before?

    I noticed this when I was perusing the packet log on
    my Linux box. These scans all occurred at 2/2/04
    13:21:10 EST. The source IP was 65.177.48.74, RDNS is
    sdn-ap-024txhousP0074.dialsprint.net. Source port is
    18765, all TCP SYNs, same TTL. Destination ports, in
    order by packet sequence #, are:

    24215, 15859, 24759, 80, 2589, 32745, 18754, 14784,
    18462, 8080, 26859, 17547, 3128, 1029, 27784, 6588

    Of these destination ports, the only "familiar" ones
    are 80 (http), 2589 (Dagger), 3129 (Squid), 6588
    (AnalogX), 8080 (WebCache), and 1029 (ICQ).

    Has anyone else seen scans like this? Any ideas as to
    its purpose? I've seen Ring Zero and proxy scans but
    this one hit quite a few odd ports. Maybe a spammer
    looking for an open proxy?

    KJP

    =====
    I see dumb people...
    ...they're everywhere...
    ...they walk around like everyone else...
    ...they don't even know that they're dumb.

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: terry white: "Re: Type od DDoS in MyDoom????"

    Relevant Pages

    • Re: Help with Iptables on with RH linux
      ... It was another 'cut and paste' error to add the tcp ports. ... As a side note I am interested in knowing if (and what I need to do to have a server set up to get ntp traffic)... ... I think I had some problems with the server itself at one point and opened some ports to get it working with rndc. ... Stuart Sears RHCA RHCX ...
      (RedHat)
    • Re: trouble using ftp.exe to connect to external site
      ... To forward all higher TCP ports to internal client, ... If you have a router before the SBS, you have to forward all higher TCP ...
      (microsoft.public.windows.server.sbs)
    • RE: IIS wont start, maybe exchange related, please help
      ... that is using these TCP ports. ... It can list all the processes listening on your ip & TCP and UDP ports. ... Microsoft is providing this information as a convenience to you. ...
      (microsoft.public.exchange.setup)
    • Re: basic firewall with TCP IP filtering
      ... On my webserver I set "enable tcp ip filtering" to permit only TCP ports ... UDP ports permit only 53 and IP protocols set to permit all. ...
      (microsoft.public.windows.server.security)
    • Re: my pc hacked?
      ... the PC moving slow is unlikely to ... >> unusual ports open. ... >> Do you Yahoo!? ...
      (Security-Basics)