[Dshield] Re: Here's something you don't see every day

James C. Slora Jr. Jim.Slora at phra.com
Thu Oct 3 23:01:33 GMT 2002


Josh Beckett wrote Wednesday, October 02, 2002 10:29 PM
> Yes, know how to track them down, that's not the point.  I rarely see port
> 57 is the thing.
>
> Any thoughts?  Anyone else seeing this apparently little used port?

Had a rash of activity on tcp 57 last month, as part of several small
multi-port scans.
http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00094.html

Several others have reported them over the past month. My multi-port scans
started with a ping with data "hello ???" then scans on any or all of TCP
21, 57, and 80. Others saw the same pattern (pings "hello ???" and any or
all of those ports).

I have not seen any logs of TCP 57 traffic from a system with that port
open. Info about post-connection activity on the other ports is at:
http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00106.html
http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00241.html

I have nothing but guesses about the TCP 57 traffic itself, but maybe these
combination scans will provide a clue.





More information about the list mailing list