Re: looking for what? portscan 15000/tcp

From: Thomas Cannon (tcannonat_private)
Date: Fri Aug 23 2002 - 10:58:14 PDT

  • Next message: Skip Carter: "Re: looking for what? portscan 15000/tcp"

    Hash: SHA1
    On Fri, 23 Aug 2002, Fabio Pietrosanti (naif) wrote:
    > Today i found it on a very important network...
    > Aug 23 07:37:12 router 548143: Aug 23 07:40:15 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp -> xx.xx.74.1(15000), 1 packet
    > Aug 23 07:37:13 router 548144: Aug 23 07:40:17 MEST: %SEC-6-IPACCESSLOGP: list 103 denied tcp -> xx.xx.74.95(15000), 1 packet
    > >From i found that could be
    >  - 15000 TCP Netdemon
    > but i'm curious regarding:
    > - two scan attempt was done ( 07:37:06 & 07:40:17 )
    > - why not every host was scanned but only some of them?
    > Regards
    > -naif
    More curious is that it specifies the source port as 15000 as well.
    Generally, I've only seen source ports specified for two reasons -- to get
    around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to
    look like DNS responses or when someone's hunting for a backdoor the uses
    the source port as part of the authentication mechanism.
    That some of the hosts were skipped does not suprise me -- scanning while
    controlling the source port is slow and awkward, and it would be easy for
    someone to trip up the code to do it. That, or maybe they already tried
    running an exploit against certain hosts and now it's going back and
    checking only those -- twice. Maybe they ran the exploit twice, just to be
    Well, that's all the guessing I have in me after one cup of coffee.
    - -tcannon
    "No brain, no headache"
    Version: GnuPG v1.0.7 (FreeBSD)
    -----END PGP SIGNATURE-----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 13:01:44 PDT