At 11:19 AM 5/24/01, Sterling, Chuck wrote:
>Lately I've seen bursts of hits from a source trying a small set of ports on
>a destination. Later the same source may try another destination. Other
>sources will also try the same set of ports on other destinations. I assume
>the sources are looking for vulnerabilities or trojan servers, but haven't
>had any success finding out which ones:
>
>2400
>3879
>5300
>6635
>8282
>9112
>9705
>11753
>22223
>22252
>39168
>
>There are a few others that show up in the same set, but these are the ones
>I haven't a label for.
>Anybody know what any of these are used for?
Let me guess...this is a partial list of 21 ports that you're getting
scanned on. Starts with port 1008 and ends in port 60008. Exactly four
seconds between each port. If you can ID the source host it always is
running Linux. I've been calling it "The unknown 21 backdoor port
scan". No one seems to know what it is, but it seems to be a Linux
worm. I do know that about 7 of them are backdoor ports for the various
versions of the lion worm. Port 3879 is also a popular port for Linux
exploits. 6639 and 39168 have also been linked to rpc-statd exploits. I
assume the rest are also backdoors.
I used to see about 20 of these scans a day but now I'm down to 12 a day.
Hope this helps....
-- Joe
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
