My home cable modem with switch recorded this interesting scan this afternoon (times EDT).
I know about 8080 and 3128 (SQUID proxy ports) but what are 3389 and 1813, especially since there was a bigger push on 1813
Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3941 to TCP port 8080
Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3944 to TCP port 3128
Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3945 to TCP port 3389
Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3946 to TCP port 1813
Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3941 to TCP port 8080
Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3946 to TCP port 1813
Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3944 to TCP port 3128
Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3945 to TCP port 3389
Sat June 22 2002 13:02:11 Unrecognized access from 4.18.239.237:3941 to TCP port 8080
Sat June 22 2002 13:02:11 Unrecognized access from 4.18.239.237:3946 to TCP port 1813
Sat June 22 2002 13:02:12 Unrecognized access from 4.18.239.237:3944 to TCP port 3128
Sat June 22 2002 13:02:12 Unrecognized access from 4.18.239.237:3945 to TCP port 3389
Sat June 22 2002 13:02:27 Unrecognized access from 4.18.239.237:1057 to TCP port 1813
Sat June 22 2002 13:02:31 Unrecognized access from 4.18.239.237:1057 to TCP port 1813
Sat June 22 2002 13:02:37 Unrecognized access from 4.18.239.237:1057 to TCP port 1813
IP has no reverse host name lookup
$ dig -x 4.18.239.237
; <<>> DiG 8.3 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; 237.239.18.4.in-addr.arpa, type = ANY, class = IN
;; AUTHORITY SECTION:
239.18.4.in-addr.arpa. 43m20s IN SOA dnspri.sys.gtei.net. dns-admin.bbnplanet.com. (
2002052850 ; serial
1H ; refresh
15M ; retry
1w3d ; expiry
1D ) ; minimum
;; Total query time: 1000 msec
;; FROM: bill-nt to SERVER: default -- 192.168.0.148
;; WHEN: Sat Jun 22 18:36:38 2002
;; MSG SIZE sent: 43 rcvd: 121
$ whois -h whois.arin.net INTEL-239-10
Intel (NETBLK-INTEL-239-10)
5200 NE Elam Young Parkway
Hillsboro, OR 97124
US
Netname: INTEL-239-10
Netblock: 4.18.239.192 - 4.18.239.255
Coordinator:
Vasconcellos, Phillip (PV172-ARIN) phillip.vasconcellosat_private
503-712-9140
Record last updated on 11-Oct-2001.
Database last updated on 21-Jun-2002 19:59:57 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
$ whois -h whois.arin.net 4.18.239.237
GENUITY (NET-GNTY-4-0) GNTY-4-0 4.0.0.0 - 4.255.255.255
Intel (NETBLK-INTEL-239-10) INTEL-239-10 4.18.239.192 - 4.18.239.255
To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 21:42:10 PDT