Hi all, yesterday we received a scan for ports 53, 109 and 111 with the synscantool from one ip for about one minute. Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and rpc.statd but what is 109 for? I know itīs pop2 but i canīt remember any exploits lately besides http://www.securityfocus.com/vdb/?id=283 and this is old news. Has anyone received similar scans in the last time? Could this be a new variant of any of the latest worms? Could this be a simple synscan-scan where old and newer vulnerabilities have been mixed? regards axel Times are MEST --snip-- [**] spp_portscan: PORTSCAN DETECTED from 203.232.4.4 (STEALTH) [**] 04/24-17:21:10.724734 [**] IDS441 - SCAN - Synscan Portscan [**] 04/24-17:21:10.724083 203.232.4.4:109 -> x.x.x.68:109 TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 ******SF Seq: 0x6D4C2D68 Ack: 0x50D8DCC2 Win: 0x404 TcpLen: 20 [**] spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 04/24-17:21:25.979399 [**] IDS441 - SCAN - Synscan Portscan [**] 04/24-17:21:25.962330 203.232.4.4:111 -> x.x.x.68:111 TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 ******SF Seq: 0x5D276564 Ack: 0x29976377 Win: 0x404 TcpLen: 20 [**] spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH [**] 04/24-17:22:08.367210 [**] IDS441 - SCAN - Synscan Portscan [**] 04/24-17:22:08.366514 203.232.4.4:53 -> x.x.x.68:53 TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 ******SF Seq: 0x23DC50AF Ack: 0x167205BA Win: 0x404 TcpLen: 20 [**] spp_portscan: End of portscan from 203.232.4.4: TOTAL time(58s) hosts(1) TCP(3) UDP(0) STEALTH [**] 04/24-17:25:20.680558 ---snip--- -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 10:07:48 PDT