Re: TCP/1008 port scans

From: Joe Matusiewicz (joemat_private)
Date: Wed Apr 25 2001 - 10:29:11 PDT

Next message: Martin Markgraf: "Re: 'FrogEater'"

Previous message: Philipp Stucke: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
In reply to: Jeff Nieusma: "TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 01:52 AM 4/25/01, Jeff Nieusma wrote:
>anyone else getting TCP scans directed at port
>1008? My solaris system says:
>
>- solaris7$ grep 1008 /etc/services
>ufsd            1008/tcp        ufsd            # UFS-aware
>server
>ufsd            1008/udp        ufsd
>
>I've seen 215 log entries this month from 9 Internet
>hosts aimed at 177 internal hosts behind a filter that
>denies port 1008. Anyone know anything about this?

I've seen them every day from the past two weeks from 209.112.47.7
(Canada).  But the scans I see also include port 1524, which is a well
known backdoor port.  Port 1008 is a backdoor for some exploit, the name of
which escapes me right now.  Daily emails to the point of contact and the
abuse address go unanswered.

-- Joe

Next message: Martin Markgraf: "Re: 'FrogEater'"
Previous message: Philipp Stucke: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
In reply to: Jeff Nieusma: "TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 08:26:24 PDT