Hi I don't think those are random attackes. Vulnerable services/daemons often listen on such ports. On Fri, Apr 20, 2001 at 05:07:13PM -0700, Brian Thomas wrote: > I'm seeing an interesting attack that's been going on for about a day now > from various sites, mostly in Saudi Arabia. I'm a little puzzled because > while these sorts of scans are nothing new, it's sustained and hitting > some really wierd ports. A list of destination ports culled from the past > 24 hours yields: > > 1024 NFS > 1080 Wingate, good for relaying/spoofig > 110 pop daemon, qpopper (only old ones) > 111 portmapper (no known vulnerability, but is needed for NFS or rpc.statd, where there is a common exploit) > 143 imap (no recent ones, but olders) > 19216 Not sure, might be some windows trojan > 21 ftp, vulnerable old daemons i.e. proftpd, wuftpd > 23 telnet > 2766 > 33696 > 33807 > 33848 > 38061 Not sure, might be some windows trojan > 389 LDAP. Anyone knows a vulnerability? Perhaps NT ldapd's.. > 44767 Not sure, might be some windows trojan > 515 lpd, recent exploit > 52 Not sure, might be some windows trojan > 53 named, "some" exploits :) > 555 sounds like some bindshell or so > 6000 X > 79 fingerd, recently cfingerd > Some of the stuff in there (Like 44767) are pretty unique to sscan attacks, > so my first thought is it's one of those. But whomever this person / these > people is/are they're certainly picking some odd things to probe. The 389 > is an ldap scan, but 52? 38061? 33XXX > 33600? 19216? I have to say, I'm > at a loss. Maybe a customized sscan probe? A strange customized scan probe, or it might scan specifically for bindshells. That would even save you the work to exploit a service... Anyone has a list which worm creates bindshells on what port? MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de refat_private GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB arat_private 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:38:13 PDT