[Intrusions] Port Scanning on 1026 & 1027

Earnhart, Benjamin J benjamin-earnhart at uiowa.edu
Wed Jul 27 15:29:36 GMT 2005

Same here, lately 1026 and 1027 have become as popular as 1433 and 22.

I assumed it was people trying to get by blocks on the regular MS SMB
ports (135-139 and 445).  I *think* it should *mostly* be a non-issue,
since AFAIK, 1026 and 1027 only get opened up temporarily when
authenticating and establishing a connection, so an attacker would have
to have perfect timing and an unpatched machine to attack.  But if it
really is that much of a no-big-deal thing, I don't get why the bad guys
are bothering with it.

So I concur with you that they're becoming very popular, and look
forward to somebody giving a decent explanation as to why this is

*Ben Earnhart
*Computer Consultant and 
*ICPSR Representative
*Department of Sociology and 
*College of Liberal Arts
*University of Iowa
*(319) 335-2887
*benjamin-earnhart at uiowa.edu

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Tony Tomasello
> Sent: Tuesday, July 26, 2005 2:15 PM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Port Scanning on 1026 & 1027
> Guys,
> I have noticed a tremendous amount of scanning on ports 1026 
> and 1027. Not 
> sure if you all have been experiencing the same. Is this 
> something that I 
> should be concerned about ?
> Thanks,
> Tony T.
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list