Re: Who is looking for port 2036?

From: Joakim Berge (joakim.berge_at_gmail.com)
Date: 10/27/05

  • Next message: Hubbard, Dan: "- AIM virus / worm" 
    Date: Thu, 27 Oct 2005 20:10:19 +0200
To: incidents@securityfocus.com

    On 10/26/05, Tillmann Werner <tillmann.werner@gmx.de> wrote:
    > Joakim,
    >
    > > The scan seems to be from a large botnet, across the world.
    >
    > What makes you believe the attack's origin is a botnet?
    >
    I belive it is a botnet becouse the source addresses are couple of
    hundred different ones (i think....havent counted). I dont see any
    pattern, and they are spread across the planet.

    > > They have only targeted one ip, and it doesn't respond to those ports.
    >
    > Your samples only showed port 2036/tcp on a very low frequency. Is this
    > representative for a longer period? What is the percentage of port 80/tcp
    > packets?
    >

    This has been going on for a month, and the frequency is about 200 per
    day for 2036 and 50 per day for 80. NFR also reports combined scan for
    "2036 80".

    > > Is it the tryout of a new worm?
    >
    > Unlikely, if it only targets a single ip address which does not respond. Http
    > might be used as destination port for such packets are likely to go through
    > firewalls.
    >
    > If you are interested in furhter investigation, you could run netcat on the
    > attacked host to see if connection establishment goes on and if there arrives
    > any data.
    >
    > Tillmann
    > 

    --
Joakim Berge
Tlf. +47 93489696
MSN. joakim.berge@gmail.com
  • Next message: Hubbard, Dan: "- AIM virus / worm"
    • Quantcast