Re: TCP/1008 port scans

From: Chris Baker (extremisat_private)
Date: Wed Apr 25 2001 - 21:27:58 PDT

Next message: Bobby, Paul: "Packets originating at port 23"

Previous message: Johannes B. Ullrich: "Re: new worm scan?"
In reply to: Jeff Nieusma: "TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Reply: Chris Baker: "Re: TCP/1008 port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 25, 2001 at 05:52:42AM -0000, Jeff Nieusma wrote:
> X-Mailer: Security Focus
> Date:         Wed, 25 Apr 2001 05:52:42 -0000
> From: Jeff Nieusma <nieusmaat_private>
> Subject:      TCP/1008 port scans
> To: INCIDENTSat_private
>
> anyone else getting TCP scans directed at port
> 1008? My solaris system says:

Some flavors of the crew.tgz (lion worm) do not include the t0rn rootkit, and
bind a root shell to tcp/1008. What you are most likely seeing is trolling for
these types of compromised hosts.

>
> - solaris7$ grep 1008 /etc/services
> ufsd            1008/tcp        ufsd            # UFS-aware
> server
> ufsd            1008/udp        ufsd
>
> I've seen 215 log entries this month from 9 Internet
> hosts aimed at 177 internal hosts behind a filter that
> denies port 1008. Anyone know anything about this?
>
> Thanks,
> - Jeff
>

Next message: Bobby, Paul: "Packets originating at port 23"
Previous message: Johannes B. Ullrich: "Re: new worm scan?"
In reply to: Jeff Nieusma: "TCP/1008 port scans"
Next in thread: Chris Baker: "Re: TCP/1008 port scans"
Reply: Chris Baker: "Re: TCP/1008 port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 13:50:23 PDT