[34247] in North American Network Operators' Group
Re: Wierd portscans
daemon@ATHENA.MIT.EDU (Justin Hinderliter)
Wed Jan 31 20:36:27 2001
Message-ID: <018401c08bf0$77ad6c80$c86746cf@interaccess.com>
From: "Justin Hinderliter" <justin@interaccess.com>
To: "Justin Hinderliter" <justin@interaccess.com>,
"Elric" <elric@dse-nets.com>,
"North America Network Operators Group Mailing List" <nanog@merit.edu>
Date: Wed, 31 Jan 2001 19:44:08 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
As an added note, there's no match for those UDP ports on l0pht, phrack,
etc. either.
Justin
----- Original Message -----
From: "Justin Hinderliter" <justin@interaccess.com>
To: "Elric" <elric@dse-nets.com>; "North America Network Operators Group
Mailing List" <nanog@merit.edu>
Sent: Wednesday, January 31, 2001 7:21 PM
Subject: Re: Wierd portscans
> Here's a list of services and their known port numbers.
>
> However, it appears that they're scanning for ports in the "reserved" or
> "unassigned" zones. It could be that they're scanning those ports just to
> see if you're allowing scans or blocking them/dropping them to a null
> route... before running a subsequent scan. Other than that, I'm not quite
> sure what they're looking for, to be truthful.
>
> One thought that comes to mind in regards to the high-numbered ports is
> whether they might think that that's a firewall running PAT/NAT, in which
> case, private IPs behind the firewall would end up showing up as
> high-numbered ports on the firewall. Is this on a gateway/firewall, and
if
> so, are you running NAT/PAT?
>
> Justin Hinderliter
> Network Analyst
> InterAccess Co. Data CLEC
>
> ----- Original Message -----
> From: "Elric" <elric@dse-nets.com>
> To: "North America Network Operators Group Mailing List" <nanog@merit.edu>
> Sent: Wednesday, January 31, 2001 5:12 PM
> Subject: Wierd portscans
>
>
> >
> >
> > I've been going though my scanlogs and in the past couple of days I have
> > seen someone trying to come in. Thier not getting in but im noticing
them
> > hitting a number of ports over and over. Primarily attempting udp port
0,
> > but also 35072, 41612, and 63240. I've done searches on Google,
Dejanews,
> > Bugtraq etc but can't seem to find out what these ports are. Just
> > wondering if anyone had come across them ever....
> >
> >
> > - Elric
> >
> >
>
> --------------------------------------------------------------------------
> > Network Administrator Dierking Scott
Enterprises
>
> --------------------------------------------------------------------------
> >
> >
> >
>
