Re: Scanning Port UDP 4668

From: H C (keydet89at_private)
Date: Mon Jul 22 2002 - 10:29:51 PDT

Next message: H C: "Re: diagnose compromise on NT"

Previous message: Curley Mr Eric P: "RE: China Experience ?"
In reply to: Ken Grossman: "Scanning Port UDP 4668"
Next in thread: Vitaly Osipov: "Re: Scanning Port UDP 4668"
Next in thread: GabyHornikat_private: "Re: Scanning Port UDP 4668"
Reply: Vitaly Osipov: "Re: Scanning Port UDP 4668"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ken,

I'm really kind of suprised that a CISSP is taking
this approach to such a problem.

Okay...this group has identified a number of UDP
packets headed for this port.  Fine.  *How* did they
find them?    Were they dropped by a firewall?  If
so...so what?  Better to spend the time on things that
matter than chasing after shiny objects.

Were they logged by an IDS?  If so, what data is
carried in the datagram?

Assuming that no egress filtering is being done by
this group, maybe what they can do is identify the
systems using the destination IPs of the datagrams,
then go to those boxes and run fport.exe (NT/2K) or
'netstat -ano' (XP) or lsof (Linux) to see if anything
*is*, in fact, listening on that port.

--- Ken Grossman <kgrossmanat_private> wrote:
> All,
> 
> One of the groups that I support has been seeing a
> lot of scanning for UDP
> port 4668.  Before you ask, they did not quantify "a
> lot".  One of the
> questions that they have is what are the scanners
> looking for that is
> running on that port.  I checked the IANA port
> listing at
> www.iana.org/assignments/port-numbers and found that
> the port number (TCP
> and UDP) is unassigned.  I also performed a check on
> the SecurityFocus site
> to see if this had bee discussed before but found
> nothing on it.  Does
> anyone know what could be running on that port
> number?  Thanks for your
> assistance.
> 
> 
> Ken Grossman, CISSP
> kgrossmanat_private
> (202) 401-7142
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: diagnose compromise on NT"
Previous message: Curley Mr Eric P: "RE: China Experience ?"
In reply to: Ken Grossman: "Scanning Port UDP 4668"
Next in thread: Vitaly Osipov: "Re: Scanning Port UDP 4668"
Next in thread: GabyHornikat_private: "Re: Scanning Port UDP 4668"
Reply: Vitaly Osipov: "Re: Scanning Port UDP 4668"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 10:35:44 PDT