[34248] in North American Network Operators' Group
Re: Wierd portscans
daemon@ATHENA.MIT.EDU (Justin Hinderliter)
Wed Jan 31 20:42:28 2001
Message-ID: <019001c08bf0$b3be77f0$c86746cf@interaccess.com>
From: "Justin Hinderliter" <justin@interaccess.com>
To: "Justin Hinderliter" <justin@interaccess.com>,
"Elric" <elric@dse-nets.com>,
"North America Network Operators Group Mailing List" <nanog@merit.edu>
Date: Wed, 31 Jan 2001 19:45:48 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
And, BTW, it looks like the previous message was bounced due to the text
attachment of the port numbers ASCII document. SBT.
Justin
----- Original Message -----
From: "Justin Hinderliter" <justin@interaccess.com>
To: "Justin Hinderliter" <justin@interaccess.com>; "Elric"
<elric@dse-nets.com>; "North America Network Operators Group Mailing List"
<nanog@merit.edu>
Sent: Wednesday, January 31, 2001 7:44 PM
Subject: Re: Wierd portscans
> As an added note, there's no match for those UDP ports on l0pht, phrack,
> etc. either.
>
> Justin
>
> ----- Original Message -----
> From: "Justin Hinderliter" <justin@interaccess.com>
> To: "Elric" <elric@dse-nets.com>; "North America Network Operators Group
> Mailing List" <nanog@merit.edu>
> Sent: Wednesday, January 31, 2001 7:21 PM
> Subject: Re: Wierd portscans
>
>
> > Here's a list of services and their known port numbers.
> >
> > However, it appears that they're scanning for ports in the "reserved" or
> > "unassigned" zones. It could be that they're scanning those ports just
to
> > see if you're allowing scans or blocking them/dropping them to a null
> > route... before running a subsequent scan. Other than that, I'm not
quite
> > sure what they're looking for, to be truthful.
> >
> > One thought that comes to mind in regards to the high-numbered ports is
> > whether they might think that that's a firewall running PAT/NAT, in
which
> > case, private IPs behind the firewall would end up showing up as
> > high-numbered ports on the firewall. Is this on a gateway/firewall, and
> if
> > so, are you running NAT/PAT?
> >
> > Justin Hinderliter
> > Network Analyst
> > InterAccess Co. Data CLEC
> >
> > ----- Original Message -----
> > From: "Elric" <elric@dse-nets.com>
> > To: "North America Network Operators Group Mailing List"
<nanog@merit.edu>
> > Sent: Wednesday, January 31, 2001 5:12 PM
> > Subject: Wierd portscans
> >
> >
> > >
> > >
> > > I've been going though my scanlogs and in the past couple of days I
have
> > > seen someone trying to come in. Thier not getting in but im noticing
> them
> > > hitting a number of ports over and over. Primarily attempting udp port
> 0,
> > > but also 35072, 41612, and 63240. I've done searches on Google,
> Dejanews,
> > > Bugtraq etc but can't seem to find out what these ports are. Just
> > > wondering if anyone had come across them ever....
> > >
> > >
> > > - Elric
> > >
> > >
> >
>
> --------------------------------------------------------------------------
> > > Network Administrator Dierking Scott
> Enterprises
> >
>
> --------------------------------------------------------------------------
> > >
> > >
> > >
> >
>
