Re: portscan on tcp ports 1024 to 1280

From: dr john halewood (johnat_private)
Date: Wed Oct 17 2001 - 10:45:47 PDT

  • Next message: Robert Woods: "RE: Scans from Moscow"

    On Wednesday 17 October 2001 18:05, Fletcher Mattox wrote:
    > What application or exploit probes every tcp port between 1024 and 1280
    > (i.e. 256 different ports in random order).  The source port is always
    > 80 or 0.  Every host on our network is being scanned in this manner from
    > several different places.  Some source ip addresses are:
    
    It seems to me that what you're actually seeing is packets coming back from a 
    server when someone's been spoofing your IP address. Ports 1024 and upwards 
    are generally used for outgoing (originating) traffic from Microsoft (and 
    others) IP stacks. Packets coming back from port 80 is usually a response 
    from a web server. IIRC I've seen the combination httpd/tcpmux port 
    combination used in the past by some hacker tools. Anyone remember which?
    
    cheers
    john
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:10:42 PDT