On Tue, 15 May 2001, Henri J. Schlereth wrote: > I am starting to see syn probes on port 10008. I cant seem to find > any references as to what uses that port. I know I am not. > > 05-14-2001 Mo 11:47:54 209.205.30.10 10008 > 05-14-2001 Mo 14:11:25 210.206.177.138 10008 > 05-14-2001 Mo 19:46:48 211.21.142.65 10008 > 05-15-2001 Tu 00:26:48 194.102.188.134 10008 Our Honeynet recently picked up these scans. Below is the snort capture. Based on passive OS fingerprinting, it appears the source system is Linux. We received port 10008 scans from three different systems, all source signatures were the same. This implies the scan may be for Unix based vulnerabilities or backdoor. lance -*> Snort! <*- Version 1.7 By Martin Roesch (roeschat_private, www.snort.org) --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-0514at_private" file. snaplen = 1514 --== Initialization Complete ==-- 05/14-04:45:01.954393 200.204.170.212:2394 -> 172.16.1.102:10008 TCP TTL:48 TOS:0x0 ID:28181 IpLen:20 DgmLen:60 DF ******S* Seq: 0x19C1BA52 Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/14-04:45:01.961927 172.16.1.102:10008 -> 200.204.170.212:2394 TCP TTL:46 TOS:0x0 ID:32915 IpLen:20 DgmLen:40 DF ***A*R** Seq: 0x0 Ack: 0x19C1BA53 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/14-04:45:01.967340 200.204.170.212:2396 -> 172.16.1.104:10008 TCP TTL:48 TOS:0x0 ID:28183 IpLen:20 DgmLen:60 DF ******S* Seq: 0x19A0AB8D Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/14-04:45:01.970390 172.16.1.104:10008 -> 200.204.170.212:2396 TCP TTL:46 TOS:0x0 ID:32916 IpLen:20 DgmLen:40 DF ***A*R** Seq: 0x0 Ack: 0x19A0AB8E Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/14-04:45:01.979359 200.204.170.212:2398 -> 172.16.1.106:10008 TCP TTL:48 TOS:0x0 ID:28185 IpLen:20 DgmLen:60 DF ******S* Seq: 0x19CA6878 Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 10:49:29 PDT