Re: Port 10008

From: Mike Scott (mikesat_private)
Date: Tue May 15 2001 - 09:19:47 PDT

Next message: John Coke: "RE: DNS ports and scans"

Previous message: Tim Brown: "Re: Port 10008"
In reply to: Joerg Weber: "Port 10008"
Next in thread: Crist Clark: "Re: Port 10008"
Next in thread: Rob Lindenbusch: "Re: Port 10008"
Reply: Crist Clark: "Re: Port 10008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I saw the same thing over the weekend to what looks like the entire Class B.  
Here's a snip from a snort portscan log, I don't have the rest in front of me:

May 13 09:18:56 202.43.105.18:4760 -> xxx.140.18.139:10008 SYN ******S*
May 13 09:18:56 202.43.105.18:4761 -> xxx.140.18.140:10008 SYN ******S*
May 13 09:18:57 202.43.105.18:4762 -> xxx.140.18.141:10008 SYN ******S*
May 13 09:18:57 202.43.105.18:4763 -> xxx.140.18.142:10008 SYN ******S*

-- 
Mike 


On Tuesday 15 May 2001 02:10, you wrote:
> Hello everyone,
>
> my FW-Logs went insane last night with gazillions of connection attempts to
> port 10008.
> FW-1 does unfortunately not log dropped packets, so I've no idea about
> flags et al, but the scan looks like this:
> SourcePort = Increases with each scan
> DestPort   = 10008
>
> This looks like an automated tool to me, as the whole scan took about a
> second or two.
> Any ideas?
>
> Thanks,
>
> Joerg

Next message: John Coke: "RE: DNS ports and scans"
Previous message: Tim Brown: "Re: Port 10008"
In reply to: Joerg Weber: "Port 10008"
Next in thread: Crist Clark: "Re: Port 10008"
Next in thread: Rob Lindenbusch: "Re: Port 10008"
Reply: Crist Clark: "Re: Port 10008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 10:02:53 PDT