[Dshield] Roadrunner

John Sage jsage at finchhaven.com
Mon Oct 29 03:23:45 GMT 2001


You might take a look at:


for a *very* comprehensive port listing..

There doesn't seem to be anything known on their source port of 4138; 
some of the destination ports *do* have known uses but they're pretty 

ttc-etap-ds     2978/tcp        #TTCs Enterprise Test Access Protocol - DS
ttc-etap-ds     2978/udp        #TTCs Enterprise Test Access Protocol - DS

unisql-java     1979/tcp        #UniSQL Java
unisql-java     1979/udp        #UniSQL Java

ibm-mqseries2   1881/tcp        #IBM MQSeries
ibm-mqseries2   1881/udp        #IBM MQSeries

sunscalar-svc   1860/tcp        #SunSCALAR Services
sunscalar-svc   1860/udp        #SunSCALAR Services

informatik-lm   1428/tcp        #Informatik License Manager
informatik-lm   1428/udp        #Informatik License Manager

Sometimes it's helpful to remember that the clowns who are doing tcp SYN 
scans aren't always real bright...

The source ip you show didn't respond to either an http request, or to 
nmap, so it may not be up at the moment..


- John

Peter Street wrote:

> Just noticed quite a few reports in ZA-Pro's logs from
> FWIN,2001/10/28,20:38:22 +0:00
> GMT,,,TCP (flags:S)
> These appear to be targeting lots of different ports, including:
> 4597, 1979, 1173, 1428, 2978, 3547, 3765, 1044, 1860, 1881, 1136
> and quite a few others.  (If it would help, I can put a full list up).
> Basically, is there somewhere I can find out what they were trying to
> do?  AFAIK it's still happening (I'm running Windows XP Pro RC2 (Build
> 2525), and I have IIS 5.1 working with my development website on it -
> does anyone know of any exploits and patches I need to consider with
> this?)
> Any help would be much appreciated.
> Peter Street
> Web Developer / Manager
> LazerFX Productions
> www.lazerfx.co.uk (Under Construction)

More information about the list mailing list