Russell Fulton wrote: > On Wed, 2002-02-27 at 14:52, Will Aoki wrote: > > On Wed, Feb 27, 2002 at 10:43:19AM +1300, Russell Fulton wrote: > > > (213.237.6.5) at 22:13 GMT-7 on the 20th, but I figured that it must > > be something other than NTP, since AFAIK NTP only runs over UDP. > > Possibly but tcp-123 is reserved for NTP... Normal practice is to reserve both TCP and UDP for the given port no matter which protocols you reserve. > Another thought that > occurred to me was that it was a typo and they meant to scan for > 1234 or 12345, both popular trojan ports, This seems unlikely since > it would appear that this wasn't a single scan. Still a possibility, though, and perhaps more likely than my suggestion. It's perfectly conceivable that some script kiddie set up his tool to scan for hosts and accidentally deleted the last 1 or 2 digits. > > Perhaps you're seeing something similar: people looking for poor filtering > > rules. > > hmmm... so if you get any RSTs or port unreachables you would know that > the original packet went through the firewall. Then you could start > probing with more interesting packets. Certainly plausible. Plausible, but unlikely to cause damage. How many firewall implementations are going to allow use of a port for filtering if the protocol is not specified? Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 08:48:46 PST