Often the folks in the Warez scene will hack into a machine and install a hidden FTP server set to run on these higher port numbers. The idea being that they are safe because so few applications/services actually use these ports the network/systems admins won't think to look there.
Ken Hayes Network Administrator Eastbay / Footlocker.com Wausau, WI Offices (715) 261-9573 [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Rolf Jürrens Subject: Slow scan on high-ports? <security@rolf-juerrens. de> Sent by: <[EMAIL PROTECTED]> 10/29/2002 12:39 AM Hi everyone, in our firewall-logs I see a slow scan over our whole network from one IP address on tcp ports >65300. The scan lasts now about 24 hours with only 50 packets. What is the purpose of such a scan? Since all ports are normally closed in these ranges, no one can expect to gather information about a network - am I right? Or are there any interesting ports in this range? By the way: the IP address appears in the dshield.org database as an attacker address. Greetings Rolf ______________________________________________________________________________ Die drei G des Glücks: Gemeinsam garantiert gewinnen! Jetzt mittippen! https://spielgemeinschaften.web.de/?mc=021101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.