Re: Question about port scans

From: Christopher L. Morrow (chrisat_private)
Date: Wed Jun 13 2001 - 08:38:17 PDT

Next message: Milliken, Larry: "RE: Question about port scans"

Previous message: Milliken, Larry: "Question about port scans"
In reply to: Milliken, Larry: "Question about port scans"
Next in thread: Milliken, Larry: "RE: Question about port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 13 Jun 2001, Milliken, Larry wrote:

> I have a number of port scans in my log for port 42484.  I cannot find any
> info on trojans/viruses on this..Does anyone know what uses this port?
> 

You'll notice that the 'source' port for this is 53 and it's TCP, eh? and
the source address is: 213.68.200.20, eh? I captured a few of these
packets all were resets.... so I assumed this host was being flooded and
the traffic I saw was 'backscatter'.

Looking at the logs I have for this I do notice that the hosts are being
hit almost sequentially which is strange for most flooders are more random
than this :(

Next message: Milliken, Larry: "RE: Question about port scans"
Previous message: Milliken, Larry: "Question about port scans"
In reply to: Milliken, Larry: "Question about port scans"
Next in thread: Milliken, Larry: "RE: Question about port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 08:45:01 PDT