[Intrusions] Port 44916 Scans
Mike Rabinowitz
mrabinowitz at burntmail.com
Wed Nov 10 12:28:37 GMT 2004
Thanks Ken (I actually check your posts often, thanks for that too)
>-----Original Message-----
>From: Ken Connelly [mailto:ken.connelly at uni.edu]
>Sent: Sunday, November 7, 2004 10:02 PM
>To: 'Intrusions List (GCIA Practicals)'
>Subject: Re: [Intrusions] Port 44916 Scans
>
>That port hasn't made my top-25 list in the past week, nor my top-10
>list anytime this year. Sorry...
>
>-ken
>
>Mike Rabinowitz wrote:
>
>>Hi all,
>>
>>Anyone seen scans for tcp 44916? I haven't been able to dig anything up on this. No trace included here, but I'll give you the general idea:
>>
>>*Packets are always flagged with SYN just trying to initiate connection
>>*TCP retries are normal with 0, 3, 6 second intervals before giving up
>>*Sources seem to have nothing in common save for the fact that they are dial-ups or home dsl's.
>>
>>I can barely find anything about this port except for on Kurt Siegfield's pages stating that this should be the starting high source client port for Linux Fedora.
>>
>>ISC does show activity for this port if you search on it, but no details are included.
>>
>>FYI, I work at an MSSP with many devices across different public address spaces. I see this traffic at only one range: 12.0.0.0/8. This belongs to AT&T.
>>
>>Anyone else seen this at all? Any idea what exploit this uses or what tool might generate it?
>>
>>
>>Thanks in advance,
>>
>>
>>Mike
>>
>>
>>_______________________________________________
>>Intrusions mailing list
>>Intrusions at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/intrusions
>>
>>
>
>
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list