Re: looking for what? portscan 15000/tcp

From: Thomas Cannon (tcannonat_private)
Date: Fri Aug 23 2002 - 10:58:14 PDT

Next message: Skip Carter: "Re: looking for what? portscan 15000/tcp"

Previous message: Will Tell: "Re: BAD TRAFFIC 0 ttl"
In reply to: Fabio Pietrosanti (naif): "looking for what? portscan 15000/tcp"
Next in thread: Skip Carter: "Re: looking for what? portscan 15000/tcp"
Reply: Skip Carter: "Re: looking for what? portscan 15000/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 23 Aug 2002, Fabio Pietrosanti (naif) wrote:

>
> Today i found it on a very important network...
>

<snip>

> Aug 23 07:37:12 router 548143: Aug 23 07:40:15 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.1(15000), 1 packet
> Aug 23 07:37:13 router 548144: Aug 23 07:40:17 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp 210.117.126.206(15000) -> xx.xx.74.95(15000), 1 packet
>
> >From http://www.thekoala.com/ports.htm i found that could be
>  - 15000 TCP Netdemon
>
> but i'm curious regarding:
>
> - two scan attempt was done ( 07:37:06 & 07:40:17 )
> - why not every host was scanned but only some of them?
>
> Regards
>
> -naif

More curious is that it specifies the source port as 15000 as well.
Generally, I've only seen source ports specified for two reasons -- to get
around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to
look like DNS responses or when someone's hunting for a backdoor the uses
the source port as part of the authentication mechanism.

That some of the hosts were skipped does not suprise me -- scanning while
controlling the source port is slow and awkward, and it would be easy for
someone to trip up the code to do it. That, or maybe they already tried
running an exploit against certain hosts and now it's going back and
checking only those -- twice. Maybe they ran the exploit twice, just to be
thorough?

Well, that's all the guessing I have in me after one cup of coffee.

Cheers,

- -tcannon

"No brain, no headache"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9Zne4aQMXAlxQFWcRAkmlAKDB694l5gix8Yj6BdFVoaxq/TGkawCgnNib
uzeqsMqPZU4xXiPMrhUqs00=
=59nL
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Skip Carter: "Re: looking for what? portscan 15000/tcp"
Previous message: Will Tell: "Re: BAD TRAFFIC 0 ttl"
In reply to: Fabio Pietrosanti (naif): "looking for what? portscan 15000/tcp"
Next in thread: Skip Carter: "Re: looking for what? portscan 15000/tcp"
Reply: Skip Carter: "Re: looking for what? portscan 15000/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 13:01:44 PDT