RE: Question about port scans

From: Milliken, Larry (lmillikenat_private)
Date: Wed Jun 13 2001 - 08:43:54 PDT

Next message: Vangelis Haniotakis: "Huge outgoing ICMP flows"

Previous message: Christopher L. Morrow: "Re: Question about port scans"
Maybe in reply to: Milliken, Larry: "Question about port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Correct about the source port being 53..The source address is 212.67.33.15..

-----Original Message-----
From: Christopher L. Morrow [mailto:chrisat_private]
Sent: Wednesday, June 13, 2001 11:38 AM
To: Milliken, Larry
Cc: incidentsat_private
Subject: Re: Question about port scans

On Wed, 13 Jun 2001, Milliken, Larry wrote:

> I have a number of port scans in my log for port 42484.  I cannot find any
> info on trojans/viruses on this..Does anyone know what uses this port?
> 

You'll notice that the 'source' port for this is 53 and it's TCP, eh? and
the source address is: 213.68.200.20, eh? I captured a few of these
packets all were resets.... so I assumed this host was being flooded and
the traffic I saw was 'backscatter'.

Looking at the logs I have for this I do notice that the hosts are being
hit almost sequentially which is strange for most flooders are more random
than this :(

Next message: Vangelis Haniotakis: "Huge outgoing ICMP flows"
Previous message: Christopher L. Morrow: "Re: Question about port scans"
Maybe in reply to: Milliken, Larry: "Question about port scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 09:17:58 PDT