Re: looking for what? portscan 15000/tcp

From: Skip Carter (skipat_private)
Date: Fri Aug 23 2002 - 14:34:09 PDT

  • Next message: Jackie: "What's going on here?"

    > More curious is that it specifies the source port as 15000 as well.
    > Generally, I've only seen source ports specified for two reasons -- to get
    > around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to
    > look like DNS responses or when someone's hunting for a backdoor the uses
    > the source port as part of the authentication mechanism.
      I suspect that the fact that the source port and destination ports are both
      the same reflects common origin of this exploit tool with that of other
      probe tools (there is one that does this for ssh on 22 and ftp on 21).
      Perhaps the original author was confused about the src/dest port designations
      or was trying to fool an early firewall, and set the two to the same.
      Then that code became the starting point for multiple probe tools ever since.
     Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
     Taygeta Scientific Inc.        INTERNET: skipat_private
     1340 Munras Ave., Suite 314    WWW:
     Monterey, CA. 93940            
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 14:41:04 PDT