"Fernando Cardoso" <fernando.cardosoat_private> writes: > I've just noticed in my logs a scan from someone in Colombia to port 2223. > It was clearly made with synscan (source port=destination port, ID=39426 and > Window=404). What makes me think is the purpose of it. What (s)he's looking > for? According to my port database it could be: I saw this too. Whatever they were looking for, if you sent a syn packet back to them on port 2223 (e.g. by doing "telnet xxx.xxx.xxx.xxx 2223"), then they would respond with a regular TCP connection to the port, and wait for something. I don't know what they were waiting for, since any data I sent just resulted in the other side closing the connection. So it's definitely synscan-like behavior, but I don't know what exploit has been attached to that port. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 17:45:45 PDT