[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Hits on certain ports... What are they used for?
At 11:19 AM 5/24/01, Sterling, Chuck wrote: Lately I've seen bursts of hits from a source trying a small set of ports on a destination. Later the same source may try another destination. Other sources will also try the same set of ports on other destinations. I assume the sources are looking for vulnerabilities or trojan servers, but haven't had any success finding out which ones: Let me guess...this is a partial list of 21 ports that you're getting scanned on. Starts with port 1008 and ends in port 60008. Exactly four seconds between each port. If you can ID the source host it always is running Linux. I've been calling it "The unknown 21 backdoor port scan". No one seems to know what it is, but it seems to be a Linux worm. I do know that about 7 of them are backdoor ports for the various versions of the lion worm. Port 3879 is also a popular port for Linux exploits. 6639 and 39168 have also been linked to rpc-statd exploits. I assume the rest are also backdoors. I used to see about 20 of these scans a day but now I'm down to 12 a day. Hope this helps.... -- Joe ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|