new worm scan?

From: Leon Rosenstein (l_rosensteinat_private)
Date: Thu Apr 26 2001 - 06:31:05 PDT

  • Next message: Martin Markgraf: "Re: scan for 109, new worm-variant or simple scan?"

    Hi everyone I just wanted to bring up something weird I saw last night.
    
    I have a dsl line and a computer running windows at my house.  Besides
    getting the usual scans for ftp, dns, and RPC I also got scanned for port
    109 which I think is pop-2.  Another weird thing (the zonealarm warnings are
    at the bottom) was that besides getting scanned for all 4 (the packets are
    two seconds apart so it is probably automated) the initial packets were sent
    with the SF bit set.  I have not seen that in the past from worms or tools.
    Also I went to port 80 and the site was not defaced.   Another thing; when I
    get scanned I also scan the system from 1-1024 to see what it is running.  A
    lot of times I find a web server and sometimes I have been able to find
    e-mail addys on the site and have mailed them and let them know there system
    was actively probing the internet and probably was compromised (I know it
    could be the hacker reading and responding but at least I make an attempt.
    One disgruntling response was when I told a Korean E-Commerce company that
    their had server scanned me and that if  they running a default install of a
    linux system with no patches they were probably compromised and they replied
    that they wouldn't be surprised if they were and this wouldn't be the first
    time.  Um, sure you can have my credit card info).  Anyway when I scanned
    this system it immediately scanned me back and the same 4 ports (21, 53,
    109, 11) this time with the syn bit set.  I scanned it again it scanned me
    back (both times the machine scanned me back the packets all arrived 2
    seconds of each other so probably some automated defense or something?)
    
    Anyway I just wanted to see what list thought.  The machine is still online
    running every service under the sun as I write this.
    
    Leon
    
    210.119.103.190
    
    The firewall has blocked Internet access to your computer (TCP Port 109)
    from 210.119.103.190 (TCP Port 109) [TCP Flags: SF].
     Time: 4/25/2001 23:29:36
    
    The firewall has blocked Internet access to your computer (FTP) from
    210.119.103.190 (FTP) [TCP Flags: SF].
     Time: 4/25/2001 23:29:38
    
    The firewall has blocked Internet access to your computer (TCP Port 111)
    from 210.119.103.190 (TCP Port 111) [TCP Flags: SF].
     Time: 4/25/2001 23:29:56
    
    The firewall has blocked Internet access to your computer (DNS) from
    210.119.103.190 (DNS) [TCP Flags: SF].
     Time: 4/25/2001 23:30:02
    
    The firewall has blocked Internet access to your computer (FTP) from
    sky.skytech.co.kr (210.119.103.190) (TCP Port 22673) [TCP Flags: S].
     Time: 4/25/2001 23:46:08
    
    The firewall has blocked Internet access to your computer (DNS) from
    sky.skytech.co.kr (210.119.103.190) (TCP Port 22674) [TCP Flags: S].
     Time: 4/25/2001 23:46:08
    
    The firewall has blocked Internet access to your computer (TCP Port 109)
    from sky.skytech.co.kr (210.119.103.190) (TCP Port 22677) [TCP Flags: S].
     Time: 4/25/2001 23:46:10
    
    The firewall has blocked Internet access to your computer (TCP Port 111)
    from sky.skytech.co.kr (210.119.103.190) (TCP Port 22678) [TCP Flags: S].
     Time: 4/25/2001 23:46:10
    



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 07:55:12 PDT