Port 6588 Probes from SA

From: BParisat_private
Date: Sun Apr 21 2002 - 12:39:48 PDT

Next message: H C: "Re: Port 6588 Probes from SA"

Previous message: Dan Irwin: "RE: illogic rootkit"
Next in thread: H C: "Re: Port 6588 Probes from SA"
Reply: H C: "Re: Port 6588 Probes from SA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On April 10th, my home computer, connected to Adelphia cablemodem, started
getting probed for port 6588. Wondering if it was just my machine being
trageted or if the block my machine resided on was being probed, I forced
an address change (swapped the nic). The probes still continued.

I realize that 6588 is used by AnalogX proxy software, but these probes, 17
in all so far, originated in Saudia Arabia. Here is the list of offending
IP's;

212.70.48.99
212.162.132.182
213.165.39.212
212.100.205.73
212.70.57.253
212.162.135.84
217.165.76.52
212.70.38.196
212.71.54.230
212.102.6.240
212.70.62.89
213.238.30.174
212.70.58.45
212.162.135.181
212.93.223.95
212.70.46.6
212.93.212.114

Here is the nmap output from the latest offender;

Starting nmapNT V. 2.53 SP1 by ryanat_private
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodorat_private  ( www.insecure.org/nmap/ )

Host  (212.70.48.99) appears to be up ... good.
Initiating SYN half-open stealth scan against  (212.70.48.99)
Adding TCP port 2002 (state open).
Adding TCP port 2000 (state open).
Adding TCP port 59 (state open).
The SYN scan took 116 seconds to scan 1523 ports.
For OSScan assuming that port 59 is open and port 1 is closed and neither
are firewalled
For OSScan assuming that port 59 is open and port 1 is closed and neither
are firewalled
Interesting ports on  (212.70.48.99):
(The 1517 ports scanned but not shown below are in state: closed)
Port       State       Service
59/tcp     open        priv-file
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
2000/tcp   open        callbook
2002/tcp   open        globe

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=115382 (Good luck!)

Sequence numbers: 7806EB74 780DAAE3 7818BC36 7821C867 782D94F9 783792E6
Remote operating system guess: Windows 2000 Professional, Build 2128

Nmap run completed -- 1 IP address (1 host up) scanned in 150 seconds


I'm scratching my head at this point...  any ideas?


William S. Paris
Telecommunication / Network Analyst
Sorrento Lactalis Inc.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: Port 6588 Probes from SA"
Previous message: Dan Irwin: "RE: illogic rootkit"
Next in thread: H C: "Re: Port 6588 Probes from SA"
Reply: H C: "Re: Port 6588 Probes from SA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 09:04:37 PDT