[Dshield] Here's something you don't see every day

John Sage jsage at finchhaven.com
Sat Oct 5 21:21:57 GMT 2002


Yup..

On Thu, Oct 03, 2002 at 04:28:40PM -0500, KeithTarrant wrote:
> Re port 57.
> 
> http://www.fx-tools.net
> 
> If you check in the forum, he says he uses 57 to check for the existance
> of a firewall.
> 
> Typically, together with the 57 probe, you will see a ping, and port 21
> and 80 probes.


For example:

#410-43| [2002-09-13 02:07:40] 209.167.182.3 -> 12.82.132.101  ICMP generic echo request
#410-44| [2002-09-13 02:07:40] 209.167.182.3:53087 -> 12.82.132.101:80  TCP to 80 http
#410-45| [2002-09-13 02:07:40] 209.167.182.3:53087 -> 12.82.132.101:80  TCP to 80 http
#410-46| [2002-09-13 02:07:40] 209.167.182.3:53087 -> 12.82.132.101:80  TCP to 80 http
#410-47| [2002-09-13 02:07:40] 209.167.182.3:53087 -> 12.82.132.101:80  TCP to 80 http
#410-48| [2002-09-13 02:07:40] 209.167.182.3:53087 -> 12.82.132.101:80  TCP to 80 http
#410-49| [2002-09-13 02:07:40] 209.167.182.3:53092 -> 12.82.132.101:57  TCP to 57 private terminal access
#410-50| [2002-09-13 02:07:43] 209.167.182.3:53092 -> 12.82.132.101:57  TCP to 57 private terminal access
#410-51| [2002-09-13 02:07:49] 209.167.182.3:53092 -> 12.82.132.101:57  TCP to 57 private terminal access
#410-52| [2002-09-13 02:08:01] 209.167.182.3:53370 -> 12.82.132.101:21  TCP to 21 ftp
#410-53| [2002-09-13 02:08:02] 209.167.182.3:53370 -> 12.82.132.101:21  TCP to 21 ftp
#410-54| [2002-09-13 02:21:50] 209.167.182.3:53370 -> 12.82.132.101:21  TCP to 21 ftp
#410-55| [2002-09-13 02:21:50] 209.167.182.3:53370 -> 12.82.132.101:21  TCP to 21 ftp



#423-4| [2002-09-21 22:43:59] 80.145.11.229 -> 12.82.142.72  ICMP generic echo request
#423-5| [2002-09-21 22:43:59] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-6| [2002-09-21 22:44:00] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-7| [2002-09-21 22:44:00] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-8| [2002-09-21 22:44:00] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-9| [2002-09-21 22:44:00] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-10| [2002-09-21 22:44:00] 80.145.11.229:2371 -> 12.82.142.72:80  TCP to 80 http
#423-11| [2002-09-21 22:44:00] 80.145.11.229:2416 -> 12.82.142.72:57  TCP to 57 private terminal access
#423-12| [2002-09-21 22:44:03] 80.145.11.229:2416 -> 12.82.142.72:57  TCP to 57 private terminal access
#423-13| [2002-09-21 22:44:09] 80.145.11.229:2416 -> 12.82.142.72:57  TCP to 57 private terminal access



#429-15| [2002-09-26 04:14:37] 209.206.167.70 -> 12.82.129.201  ICMP generic echo request
#429-16| [2002-09-26 04:14:37] 209.206.167.70:1212 -> 12.82.129.201:80  TCP to 80 http
#429-17| [2002-09-26 04:14:37] 209.206.167.70:1212 -> 12.82.129.201:80  TCP to 80 http
#429-18| [2002-09-26 04:14:37] 209.206.167.70:1212 -> 12.82.129.201:80  TCP to 80 http
#429-19| [2002-09-26 04:14:37] 209.206.167.70:1212 -> 12.82.129.201:80  TCP to 80 http
#429-20| [2002-09-26 04:14:37] 209.206.167.70:1212 -> 12.82.129.201:80  TCP to 80 http
#429-21| [2002-09-26 04:14:37] 209.206.167.70:1218 -> 12.82.129.201:57  TCP to 57 private terminal access
#429-22| [2002-09-26 04:14:40] 209.206.167.70:1218 -> 12.82.129.201:57  TCP to 57 private terminal access
#429-23| [2002-09-26 04:14:46] 209.206.167.70:1218 -> 12.82.129.201:57  TCP to 57 private terminal access
#429-24| [2002-09-26 04:14:58] 209.206.167.70:1218 -> 12.82.129.201:57  TCP to 57 private terminal access



#440-218| [2002-10-03 04:17:28] 212.217.64.44 -> 12.82.128.249  ICMP generic echo request
#440-219| [2002-10-03 04:17:32] 212.217.64.44:1525 -> 12.82.128.249:80  TCP to 80 http
#440-220| [2002-10-03 04:17:32] 212.217.64.44:1525 -> 12.82.128.249:80  TCP to 80 http
#440-221| [2002-10-03 04:17:36] 212.217.64.44:1525 -> 12.82.128.249:80  TCP to 80 http
#440-222| [2002-10-03 04:17:36] 212.217.64.44:1525 -> 12.82.128.249:80  TCP to 80 http
#440-223| [2002-10-03 04:17:36] 212.217.64.44:1549 -> 12.82.128.249:57  TCP to 57 private terminal access
#440-224| [2002-10-03 04:17:39] 212.217.64.44:1549 -> 12.82.128.249:57  TCP to 57 private terminal access
#440-225| [2002-10-03 04:17:45] 212.217.64.44:1549 -> 12.82.128.249:57  TCP to 57 private terminal access
#440-227| [2002-10-03 04:17:57] 212.217.64.44:1549 -> 12.82.128.249:57  TCP to 57 private terminal access
#440-228| [2002-10-03 04:18:21] 212.217.64.44:1656 -> 12.82.128.249:21  TCP to 21 ftp
#440-229| [2002-10-03 04:18:21] 212.217.64.44:1656 -> 12.82.128.249:21  TCP to 21 ftp
#440-231| [2002-10-03 04:20:32] 212.217.64.44:1656 -> 12.82.128.249:21  TCP to 21 ftp
#440-230| [2002-10-03 04:20:32] 212.217.64.44:1656 -> 12.82.128.249:21  TCP to 21 ftp



- John
-- 
"Broken pipe"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list