port 6635 and port 9705

From: Jim Howard (Jim.Howardat_private)
Date: Wed Nov 14 2001 - 09:29:08 PST

Next message: Dave Dittrich: "Re: Analysis of SSH crc32 compensation attack detector exploit"

Previous message: Fernando Cardoso: "RE: SUB7 (update) Now Netbus too!"
Next in thread: Rob Keown: "RE: port 6635 and port 9705"
Reply: Rob Keown: "RE: port 6635 and port 9705"
Reply: dschultzat_private: "RE: port 6635 and port 9705"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Somebody had asked where these scans were coming from.  Just yesterday, I
got scanned on both these ports at the same time from this IP: 216.187.84.11
.  I have notified the parties that needed notification, but I just wanted
to mention that: 

1) our entire network was scanned for both from the same host, one right
after the other with 9705 first, then 6635.  The scans to 9705 were
primarily from port 9705, where the 6635 scan was from an incrementing port
#. 

2) this is the first I have seen scans on these ports for some time.  It
sounds from what people are saying, that this may be picking up now?

3) There was a break of about 4 minutes between the scan sessions, that
indicate a manual process to fire up the other scan.  All scans carry the
SYN flag.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Dittrich: "Re: Analysis of SSH crc32 compensation attack detector exploit"
Previous message: Fernando Cardoso: "RE: SUB7 (update) Now Netbus too!"
Next in thread: Rob Keown: "RE: port 6635 and port 9705"
Reply: Rob Keown: "RE: port 6635 and port 9705"
Reply: dschultzat_private: "RE: port 6635 and port 9705"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 11:14:11 PST