Here's a list of services and their known port numbers.
However, it appears that they're scanning for ports in the "reserved" or "unassigned" zones. It could be that they're scanning those ports just to see if you're allowing scans or blocking them/dropping them to a null route... before running a subsequent scan. Other than that, I'm not quite sure what they're looking for, to be truthful.
One thought that comes to mind in regards to the high-numbered ports is whether they might think that that's a firewall running PAT/NAT, in which case, private IPs behind the firewall would end up showing up as high-numbered ports on the firewall. Is this on a gateway/firewall, and if so, are you running NAT/PAT?
Justin Hinderliter Network Analyst InterAccess Co. Data CLEC
----- Original Message ----- From: "Elric" <elric@dse-nets.com> To: "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Wednesday, January 31, 2001 5:12 PM Subject: Wierd portscans
I've been going though my scanlogs and in the past couple of days I have seen someone trying to come in. Thier not getting in but im noticing
As an added note, there's no match for those UDP ports on l0pht, phrack, etc. either. Justin ----- Original Message ----- From: "Justin Hinderliter" <justin@interaccess.com> To: "Elric" <elric@dse-nets.com>; "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Wednesday, January 31, 2001 7:21 PM Subject: Re: Wierd portscans them
hitting a number of ports over and over. Primarily attempting udp port 0, but also 35072, 41612, and 63240. I've done searches on Google, Dejanews, Bugtraq etc but can't seem to find out what these ports are. Just wondering if anyone had come across them ever....
- Elric
--------------------------------------------------------------------------
Network Administrator Dierking Scott Enterprises
--------------------------------------------------------------------------
And, BTW, it looks like the previous message was bounced due to the text attachment of the port numbers ASCII document. SBT. Justin ----- Original Message ----- From: "Justin Hinderliter" <justin@interaccess.com> To: "Justin Hinderliter" <justin@interaccess.com>; "Elric" <elric@dse-nets.com>; "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Wednesday, January 31, 2001 7:44 PM Subject: Re: Wierd portscans
As an added note, there's no match for those UDP ports on l0pht, phrack, etc. either.
Justin
----- Original Message ----- From: "Justin Hinderliter" <justin@interaccess.com> To: "Elric" <elric@dse-nets.com>; "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Wednesday, January 31, 2001 7:21 PM Subject: Re: Wierd portscans
Here's a list of services and their known port numbers.
However, it appears that they're scanning for ports in the "reserved" or "unassigned" zones. It could be that they're scanning those ports just to see if you're allowing scans or blocking them/dropping them to a null route... before running a subsequent scan. Other than that, I'm not quite sure what they're looking for, to be truthful.
One thought that comes to mind in regards to the high-numbered ports is whether they might think that that's a firewall running PAT/NAT, in which case, private IPs behind the firewall would end up showing up as high-numbered ports on the firewall. Is this on a gateway/firewall, and if so, are you running NAT/PAT?
Justin Hinderliter Network Analyst InterAccess Co. Data CLEC
----- Original Message ----- From: "Elric" <elric@dse-nets.com> To: "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Wednesday, January 31, 2001 5:12 PM Subject: Wierd portscans
I've been going though my scanlogs and in the past couple of days I
seen someone trying to come in. Thier not getting in but im noticing
have them
hitting a number of ports over and over. Primarily attempting udp port 0, but also 35072, 41612, and 63240. I've done searches on Google, Dejanews, Bugtraq etc but can't seem to find out what these ports are. Just wondering if anyone had come across them ever....
- Elric
--------------------------------------------------------------------------
Network Administrator Dierking Scott Enterprises
--------------------------------------------------------------------------
participants (1)
-
Justin Hinderliter