Well, I guess I was a bit unclear. Thanks to all for your collective input on what the ports were (ie 31337, and 10008). I was however aware of them. The point I was wondering about was if this particular scan was a canned exploit, could it take another step if it were to successfull? If so then maybe someone has identified some artifacts. I would doubt that this was someone just messing around with nmap as it was the same scan pattern at different times from different address spaces from multiple addresses around the globe (NOT synchronized and vs. different machines on several different networks). If this was a scripted exploit then that could potentially be identified then a rule could be written for SHADOW, Snort, NetRanger et cetera. At any rate thanks for your input. cheers, gattaca Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 10:50:32 PDT