OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Exploit on tcp/4128?

From: H Carvey (keydet89yahoo.com)
Date: Tue Feb 15 2005 - 05:06:11 CST


In-Reply-To: <FJEGKKBKOEFBAAINEADJKEJKEKAA.baldwinLmynetwatchman.com>

Lawrence,

Just out of curiosity, if this host is "scanning the world" for this port, why are you scanning it? Usually, when a host scans, it issues queries to the destination port (in this case, 4128).

I think when folks have referred to using netcat in cases such as this in the past, what they've referred to is using netcat in listening mode to capture packets, so that when you ask what the scan is looking for, one has actual data to look at. Over on incidents.org, the analysts are always asking for packet data when someone reports an increase in activity on any particular port. Doing this would probably be of greater benefit than firing netcat (I would've used nmap, as you would have some data regarding packets sent to the port and responses) at it.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.co˘ 

>Anyone know what this is:
>
>D:\nc>nc -n -v 64.132.205.69 4128
>(UNKNOWN) [64.132.205.69] 4128 (?) open
>
>'ÍP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet
>'ÍP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet
>'ÍP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet
>'ÍP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet
>
>'ÍP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet
>'ÍP?
> ? Version? 1.3? Error? ? ? Msg? Invalid Packet ^C
>
>
>The same host above is scanning the *world* for this port:
>
>http://www.mynetwatchman.com/LID.asp?IID=146159119
>
>Regards,
>
>Lawrence Baldwin
>myNetWatchman.com
>
>