Hello, Recently, I got scanned by 198.202.195.254 on port 35817. It looks like the entire 64.0.0.0 netblock got scanned, at a rate of just over 2 seconds per /24 network. I didn't manage to get a packet capture of this scan, but I am most curious because I am not aware of any service that runs on this port, nor of any exploit that binds a shell to this port. Here is an example of the scan, time in EST (GMT-5): Date Time Proto Source Destination Action 24Apr2001 13:02:24 tcp 198.202.195.254:35817 64.55.x.y:35817 drop 24Apr2001 13:02:24 tcp 198.202.195.254:35817 64.55.x.y:35817 drop .... 25Apr2001 23:11:56 tcp 198.202.195.254:35817 64.241.x.y:35817 drop 25Apr2001 23:11:56 tcp 198.202.195.254:35817 64.241.x.y:35817 drop .... 25Apr2001 23:31:34 tcp 198.202.195.254:35817 64.242.x.y:35817 drop 25Apr2001 23:31:34 tcp 198.202.195.254:35817 64.242.x.y:35817 drop Can someone confirm/correlate? Does anyone know what's going on? Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 12:43:20 PDT