[Dshield] port 7000?

Tim Rushing dshield at threenorth.com
Thu Oct 3 18:32:26 GMT 2002


Just saw this on a dedicated box:

Oct  3 12:48:43 mybox kernel: Packet log: input REJECT eth0 PROTO=6 
209.0.253.133:3448 a.b.c.194:7000 L=60 S=0x00 I=24069 F=0x4000 T=52 SYN (#91)
Oct  3 12:48:43 mybox kernel: Packet log: input REJECT eth0 PROTO=6 
209.0.253.133:3449 a.b.c.195:7000 L=60 S=0x00 I=24070 F=0x4000 T=52 SYN (#91)
Oct  3 12:48:43 mybox kernel: Packet log: input REJECT eth0 PROTO=6 
209.0.253.133:3450 a.b.c.196:7000 L=60 S=0x00 I=24071 F=0x4000 T=52 SYN (#91)
Oct  3 12:48:43 mybox kernel: Packet log: input REJECT eth0 PROTO=6 
209.0.253.133:3451 a.b.c.197:7000 L=60 S=0x00 I=24072 F=0x4000 T=52 SYN (#91)


These are the first port 7000 scans I have ever had directed at 
me.  Looking at the port 7000 scans at incidents.org, it seems that there 
is a very small uptick in records, but the number of targets have mostly 
been in the single digits.

My 4 ips represent almost exactly the average number of targets/day in the 
database for the last 4 days.

A google search on port 7000 shows some X-font servers, the afs file 
server, some known older trojans, but I didn't spot anything that seemed 
obviously recent.

       ---Tim Rushing




More information about the list mailing list