|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Port 109 scanning
From: Andy Duncan (andyduncan
MOTIVES.CO.UK)Date: Tue Nov 07 2000 - 06:41:07 CST
- Next message: Jander Sunstar: "Re: Port 109 scanning"
- Previous message: pW: "clean binaries"
- Maybe in reply to: A.L.Lambert: "Port 109 scanning"
- Next in thread: Jander Sunstar: "Re: Port 109 scanning"
- Maybe reply: Andy Duncan: "Re: Port 109 scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yeah, I had me one of those:
[**] spp_portscan: PORTSCAN DETECTED from 209.34.16.122 (STEALTH) [**]
11/01-13:29:36.432711
[**] SCAN-SYN FIN [**]
11/01-13:29:36.405926 209.34.16.122:109 -> 212.x.x.x:109
TCP TTL:24 TOS:0x0 ID:39426
**SF**** Seq: 0x5297F633 Ack: 0x511E051C Win: 0x404
and speaking of virtually abandoned protocols, I had one on gopher a
few days previously:
[**] spp_portscan: PORTSCAN DETECTED from 198.108.64.13 (STEALTH) [**]
10/31-07:41:22.405191
[**] SCAN-SYN FIN [**]
10/31-07:41:22.338681 198.108.64.13:70 -> 212.x.x.x:70
TCP TTL:25 TOS:0x0 ID:39426
**SF**** Seq: 0x506113C6 Ack: 0x582CAC4A Win: 0x404
> -----Original Message-----
> From: A.L.Lambert [mailto:alambertEPICREALM.COM]
> Sent: 06 November 2000 13:26
> To: INCIDENTSsecurityfocus.com
> Subject: Port 109 scanning
>
>
> I'm curious if anyone else has been getting port 109 SYN/FIN
> scan's lately? (src 109 -> dst 109). I've gotten them from
> two separate
> sources, several days apart (looks like a sequential scan of multiple
> class A networks), and I thought it was a bit odd, since last time I
> heard, POP2 was a virtually abandoned protocol (at least I've
> never seen
> it in use, and I've been mucking around on the net for a long
> time now),
> and in this day and age, a SYN/FIN scan is almost certain to set off
> IDS's.
>
> Normally a targeted scan looking for something that
> won't hurt my
> network wouldn't do much more than wake me up enough to
> e-mail the admin's
> of the offending network, but this one has my curiosity
> aroused, since on
> the surface, it looks both noisy, and pointless (or are there
> vulnerable
> pop2 servers all over the net that I'm unaware of?).
>
> The source of the scan's were 204.31.162.252, and 209.84.237.75,
> and the targets were in the 200.x.x.x and 213.x.x.x netblock's.
>
> Anyway, anyone with comments/thoughts, I'd be
> interested. Thanks
> in advance.
>
> --A.L.Lambert
>
- Next message: Jander Sunstar: "Re: Port 109 scanning"
- Previous message: pW: "clean binaries"
- Maybe in reply to: A.L.Lambert: "Port 109 scanning"
- Next in thread: Jander Sunstar: "Re: Port 109 scanning"
- Maybe reply: Andy Duncan: "Re: Port 109 scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]