While running ethereal tonight I saw someone scanning all of the ip addresses. I scrolled back and saw that my box was pinged twice and then approximately 7 minutes later, I saw an attempt to connect to port 1405 all by the same ip address. No. Time Source Destination Protocol Info 18960 2001-05-14 22:25:08.2490 206.239.3.90 xx.xxx.xx.xx ICMP Echo (ping) request 18961 2001-05-14 22:25:09.2592 206.239.3.90 xx.xxx.xx.xx ICMP Echo (ping) request 19236 2001-05-14 22:32:44.2349 206.239.3.90 xx.xxx.xx.xx TCP 79 > 1405 [RST, ACK] Seq=0 Ack=3813890208 Win=0 Len=0 I researched and found out the following information. ibm-res 1405/tcp IBM Remote Execution Starter ibm-res 1405/udp IBM Remote Execution Starter [whois.arin.net] Verio, Inc. (NET-VRIO-206-239) 8005 South Chester Street Englewood, CO 80112 US Netname: VRIO-206-239 Netblock: 206.239.0.0 - 206.239.255.255 Maintainer: VRIO Coordinator: Verio, Inc. (VIA4-ORG-ARIN) viparat_private 303.645.1900 Domain System inverse mapping provided by: NS0.VERIO.NET 129.250.15.61 NS1.VERIO.NET 204.91.99.140 NS2.VERIO.NET 129.250.31.190 ******************************************** Reassignment information for this block is available at rwhois.verio.net port 4321 ******************************************** Record last updated on 20-Aug-2000. Database last updated on 12-May-2001 22:47:54 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. I guess my questions are why they were attempting to connect to port 1405 (I don't have any services on that port) and why would they be using port 79 to make the connection? Thanks in advance. Jim -- Quidquid latine dictum sit, altum viditur.
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:46:21 PDT