While running ethereal tonight I saw someone scanning all of the ip
addresses. I scrolled back and saw that my box was pinged twice and then
approximately 7 minutes later, I saw an attempt to connect to port 1405
all by the same ip address.
No. Time Source
Destination Protocol Info
18960 2001-05-14 22:25:08.2490 206.239.3.90
xx.xxx.xx.xx ICMP Echo (ping) request
18961 2001-05-14 22:25:09.2592 206.239.3.90
xx.xxx.xx.xx ICMP Echo (ping) request
19236 2001-05-14 22:32:44.2349 206.239.3.90
xx.xxx.xx.xx TCP 79 > 1405 [RST, ACK] Seq=0 Ack=3813890208
Win=0 Len=0
I researched and found out the following information.
ibm-res 1405/tcp IBM Remote Execution Starter
ibm-res 1405/udp IBM Remote Execution Starter
[whois.arin.net]
Verio, Inc. (NET-VRIO-206-239)
8005 South Chester Street
Englewood, CO 80112
US
Netname: VRIO-206-239
Netblock: 206.239.0.0 - 206.239.255.255
Maintainer: VRIO
Coordinator:
Verio, Inc. (VIA4-ORG-ARIN) viparat_private
303.645.1900
Domain System inverse mapping provided by:
NS0.VERIO.NET 129.250.15.61
NS1.VERIO.NET 204.91.99.140
NS2.VERIO.NET 129.250.31.190
********************************************
Reassignment information for this block is
available at rwhois.verio.net port 4321
********************************************
Record last updated on 20-Aug-2000.
Database last updated on 12-May-2001 22:47:54 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
I guess my questions are why they were attempting to connect to port
1405 (I don't have any services on that port) and why would they be
using port 79 to make the connection?
Thanks in advance.
Jim
--
Quidquid latine dictum sit, altum viditur.
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:46:21 PDT