Port 57 scans explained Re: [Dshield] Re: Here's something you don't see every day

KeithTarrant KeithTarrant at spamcop.net
Fri Oct 4 20:47:14 GMT 2002


For port (8), 57, 21, 80 scans see http://www.fx-tools.net

In the forum the writers answers why he uses port 57.  It was to check for
firewalls.  He plans to change that.

The tool is popular among Pubstro hackers.

http://www.mynetwatchman.com/kb/security/articles/winforensics/

And of course 137 is mostly bugbear these days.  (It could be any worm
that tries to propogate by windows file sharing.)

----- Original Message -----
From: "James C. Slora Jr." <Jim.Slora at phra.com>
To: <list at dshield.org>
Sent: Thursday, October 03, 2002 6:01 PM
Subject: [Dshield] Re: Here's something you don't see every day


> Josh Beckett wrote Wednesday, October 02, 2002 10:29 PM
> > Yes, know how to track them down, that's not the point.  I rarely see
port
> > 57 is the thing.
> >
> > Any thoughts?  Anyone else seeing this apparently little used port?
>
> Had a rash of activity on tcp 57 last month, as part of several small
> multi-port scans.
> http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00094.html
>
> Several others have reported them over the past month. My multi-port
scans
> started with a ping with data "hello ???" then scans on any or all of
TCP
> 21, 57, and 80. Others saw the same pattern (pings "hello ???" and any
or
> all of those ports).
>
> I have not seen any logs of TCP 57 traffic from a system with that port
> open. Info about post-connection activity on the other ports is at:
> http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00106.html
> http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00241.html
>
> I have nothing but guesses about the TCP 57 traffic itself, but maybe
these
> combination scans will provide a clue.
>
>
>





More information about the list mailing list