[Unusual Network_scan[tcp-6267]]

From: Russell Fulton (R.FULTONat_private)
Date: Thu Jan 31 2002 - 13:30:17 PST

Next message: Russell Fulton: "Re: Apache 1.3.XX"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anyone have any idea what this might be looking for?  I ususally assume
that scans on odd port numbers are just looking for hosts compromised in
previous sweeps but 6267 is a bit too close to 6112 and I want to be
sure that it isn't another rpc service I don't know about.  I have
searched the snort port database and google but found nothing relevant.

Cheers, Russell.

-----Forwarded Message-----

From: argusat_private
To: irtat_private
Subject: [202.198.178.103] - Network_scan[tcp-6267]
Date: 31 Jan 2002 19:57:03 +1300


The data for around this time can be found in
~argus/data/2002.01.31/argus-2002.01.31.19.00.gz

We saw [202.198.178.103] talk to 48 ports/addresses(s)
on Thu 31 Jan 2002 at 07:56 (UTC)

-- Thu 31 Jan 2002 at 19:56 (NZDT)

Connection rate approx 20 per second

202.37.88.1-37.tcp - 6267             202.37.88.42-51.tcp - 6267         
202.37.88.40.tcp - 6267


Some sample packet traces were:  Times UTC +1300 GPS synchronized
2002-01-31-19:56:47  tcp 202.198.178.103:4151     ->    202.37.88.28:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4152     ->    202.37.88.29:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4153     ->    202.37.88.30:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4154     ->    202.37.88.31:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4155     ->    202.37.88.32:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4156     ->    202.37.88.33:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4157     ->    202.37.88.34:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4158     ->    202.37.88.35:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4159     ->    202.37.88.36:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4160     ->    202.37.88.37:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4163     ->    202.37.88.40:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4165     ->    202.37.88.42:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4166     ->    202.37.88.43:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4167     ->    202.37.88.44:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4168     ->    202.37.88.45:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4169     ->    202.37.88.46:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4170     ->    202.37.88.47:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4171     ->    202.37.88.48:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4172     ->    202.37.88.49:6267   S_
2002-01-31-19:56:47  tcp 202.198.178.103:4173     ->    202.37.88.50:6267   S_



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Re: Apache 1.3.XX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 13:33:55 PST