[Dshield] New probe?

Charles Hamby fixer at gci.net
Sun Mar 16 19:12:23 GMT 2003


>From the looks of it, that matches the pattern of a tool called
FXScanner.  FXScanner uses port 57, which generally isn't used for
anything to determine it there's a firewall in place (the theory being
that if there's a firewall there, port 57 will be blocked).  More infor
on FXScanner can be found here:
http://www.mynetwatchman.com/kb/security/ports/6/57.htm


Charles Hamby

-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler at aset.com] 
Sent: Saturday, March 15, 2003 10:24 AM
To: list at dshield.org
Subject: [Dshield] New probe?

We have noticed what appears to be a new probe pattern. The intruder
hits first port 80 (http), then 57 (what exactly is 57?), then 21 (ftp),
in that order, and there is about 3 seconds between each probe.

Any idea what this probe is and what it is trying to accomplish?

Thanks!

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




More information about the list mailing list