I'm seeing the same thing. I also noticed one of the Code Red probes came at the same time as a port57 scan from the same address yesterday. On 11/1, I reported seeing very large IIS vulnerability probes that also coincided with a port 57 scan. One reply I received was that it was probably someone using "FxScanner". See the following URL for details: http://cert.uni-stuttgart.de/archive/intrusions/2002/11/msg00015.html > -----Original Message----- > From: Ingersoll, Jared [mailto:jaredat_private] > Sent: Tuesday, November 12, 2002 8:01 AM > To: incidentsat_private > Subject: scans on port 57 > > > I'm seeing a lot of blocked scans on port 57 in my firewall > logs, many times in conjunction with a port 80 or port 21 > scan. I was working under the assumption that these were > related to a misconfigured port scanner, but I'm seeing them > from a pretty diverse set of source addresses, so now I'm > curious what they're looking for. > > jared > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 23:09:18 PST