Re: Who is looking for port 2036?
From: Tillmann Werner (tillmann.werner_at_gmx.de)
Date: 10/26/05
- Previous message: Daniel Hanson: "Moderator's note: SSH bruteforce on its way.."
- In reply to: Joakim Berge: "Who is looking for port 2036?"
- Next in thread: Joakim Berge: "Re: Who is looking for port 2036?"
- Reply: Joakim Berge: "Re: Who is looking for port 2036?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Wed, 26 Oct 2005 21:48:53 +0200
Joakim,
> The scan seems to be from a large botnet, across the world.
What makes you believe the attack's origin is a botnet?
> They have only targeted one ip, and it doesn't respond to those ports.
Your samples only showed port 2036/tcp on a very low frequency. Is this
representative for a longer period? What is the percentage of port 80/tcp
packets?
> Is it the tryout of a new worm?
Unlikely, if it only targets a single ip address which does not respond. Http
might be used as destination port for such packets are likely to go through
firewalls.
If you are interested in furhter investigation, you could run netcat on the
attacked host to see if connection establishment goes on and if there arrives
any data.
Tillmann
- Previous message: Daniel Hanson: "Moderator's note: SSH bruteforce on its way.."
- In reply to: Joakim Berge: "Who is looking for port 2036?"
- Next in thread: Joakim Berge: "Re: Who is looking for port 2036?"
- Reply: Joakim Berge: "Re: Who is looking for port 2036?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
