RE: Question about port scans

From: Milliken, Larry (lmillikenat_private)
Date: Wed Jun 13 2001 - 08:43:54 PDT

  • Next message: Vangelis Haniotakis: "Huge outgoing ICMP flows"

    Correct about the source port being 53..The source address is 212.67.33.15..
    
    -----Original Message-----
    From: Christopher L. Morrow [mailto:chrisat_private]
    Sent: Wednesday, June 13, 2001 11:38 AM
    To: Milliken, Larry
    Cc: incidentsat_private
    Subject: Re: Question about port scans
    
    
    On Wed, 13 Jun 2001, Milliken, Larry wrote:
    
    > I have a number of port scans in my log for port 42484.  I cannot find any
    > info on trojans/viruses on this..Does anyone know what uses this port?
    > 
    
    You'll notice that the 'source' port for this is 53 and it's TCP, eh? and
    the source address is: 213.68.200.20, eh? I captured a few of these
    packets all were resets.... so I assumed this host was being flooded and
    the traffic I saw was 'backscatter'.
    
    Looking at the logs I have for this I do notice that the hosts are being
    hit almost sequentially which is strange for most flooders are more random
    than this :(
    



    This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 09:17:58 PDT