Thanks for the help folks. I installed PCAnywhere 8.0 on one of my systems
while the sniffer was running and got the very same packets on UDP ports 22
and 5632. If fact, it scanned the entire class C that I belong to ignoring
my subnet mask. It just happens that the other company is within the same
Class C but with another subnet mask. PCAnywhere just didn't care and
scanned 224 IP's that don't belong to me.
Joel
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Boxmeyer, Jim, SOCOO
Sent: Thursday, March 09, 2000 8:43 AM
To: Joel Colvin; [EMAIL PROTECTED]
Subject: RE: Perplexing scan: UDP port 22 & 5632
Port 22 UDP is reserved for SSH (Secure Shell) 5632 is reserved for
PCAnywhere along with 5631.
I maintain a trojan port list reachable at
http://www.onctek.com/trojanports.html you can also reach the registered TCP
port listings from that page.
Hope that helps,
Jim Boxmeyer
Senior Security Engineer
ONCTek LLC
http://www.onctek.com
-----Original Message-----
From: Joel Colvin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 09, 2000 12:54 AM
To: [EMAIL PROTECTED]
Subject: Perplexing scan: UDP port 22 & 5632
For a few weeks now I have been dogged by an apparent scan of my network.
The scanning host keeps hitting UDP port 22 on all of my hosts in an
apparently random IP address order. The network admin of the originating
domain has attempted to block this traffic at his firewall but I keep
getting the scans of all hosts. Today I happened to be running ethereal
sniffer when another scan from the same host hit UDP port 5632 on all of my
hosts. The packets sent, minus all headers, are all just two bytes long and
identical.
While the traffic is slight I am intent on learning the source and method of
this activity. I am at a loss on where to proceed from here. Any ideas?
Joel
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
