Anyone have any idea what this might be looking for? I ususally assume that scans on odd port numbers are just looking for hosts compromised in previous sweeps but 6267 is a bit too close to 6112 and I want to be sure that it isn't another rpc service I don't know about. I have searched the snort port database and google but found nothing relevant. Cheers, Russell. -----Forwarded Message----- From: argusat_private To: irtat_private Subject: [202.198.178.103] - Network_scan[tcp-6267] Date: 31 Jan 2002 19:57:03 +1300 The data for around this time can be found in ~argus/data/2002.01.31/argus-2002.01.31.19.00.gz We saw [202.198.178.103] talk to 48 ports/addresses(s) on Thu 31 Jan 2002 at 07:56 (UTC) -- Thu 31 Jan 2002 at 19:56 (NZDT) Connection rate approx 20 per second 202.37.88.1-37.tcp - 6267 202.37.88.42-51.tcp - 6267 202.37.88.40.tcp - 6267 Some sample packet traces were: Times UTC +1300 GPS synchronized 2002-01-31-19:56:47 tcp 202.198.178.103:4151 -> 202.37.88.28:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4152 -> 202.37.88.29:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4153 -> 202.37.88.30:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4154 -> 202.37.88.31:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4155 -> 202.37.88.32:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4156 -> 202.37.88.33:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4157 -> 202.37.88.34:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4158 -> 202.37.88.35:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4159 -> 202.37.88.36:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4160 -> 202.37.88.37:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4163 -> 202.37.88.40:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4165 -> 202.37.88.42:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4166 -> 202.37.88.43:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4167 -> 202.37.88.44:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4168 -> 202.37.88.45:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4169 -> 202.37.88.46:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4170 -> 202.37.88.47:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4171 -> 202.37.88.48:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4172 -> 202.37.88.49:6267 S_ 2002-01-31-19:56:47 tcp 202.198.178.103:4173 -> 202.37.88.50:6267 S_ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 13:33:55 PST