[Dshield] Captured Checkpoint FW-1 scan - TCP port 261

Blake McNeill mcneillb at linklogger.com
Tue Sep 23 23:52:18 GMT 2003


Someone had mentioned that they had seen an increase of TCP port 261 scans
and we had seen a scan or two of these ourselves lately.  Putting PortPeeker
on it we captured a scan where possibly someone was looking for unsecured
remote access to Checkpoint FW-1 systems, so heads up all you FW-1
administrators, make sure the back door is locked.

TCP Connection Request
--- 9/22/2003 09:55:13.098

194.29.98.7 : 3525 TCP Connected ID = 1
--- 9/22/2003 09:55:13.108
Status Code: 0 OK

194.29.98.7 : 3525 TCP Data In : MD5 = E83BC8B4EB453194DB50330C04017B05
--- 9/22/2003 09:55:13.299
0000   32 32 30 20 46 57 2D 31 20 53 65 73 73 69 6F 6E      220 FW-1 Session
0010   20 41 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20       Authentication
0020   52 65 71 75 65 73 74 20 66 72 6F 6D 20 45 57 46      Request from EWF
0030   57 31 0A 32 30 31 20 31 33 31 30 37 32 20 0A 32      W1.201 131072 .2
0040   31 31 20 31 31 35 30 33 33 37 32 35 31 20 36 37      11 1150337251 67
0050   34 34 20 33 32 35 36 37 30 35 36 36 38 20 31 33      44 3256705668 13
0060   37 20 31 37 0A                                       7 17.


194.29.98.7 : 3525 TCP Data In : MD5 = 9EBB3D3889C436B2A23197B6A41CB6EF
--- 9/22/2003 09:55:13.599
0000   33 33 31 20 55 73 65 72 3A 0A                        331 User:.


194.29.98.7 : 3525 TCP Disconnected ID = 1
--- 9/22/2003 09:57:13.311
Status Code: 28160 [28160] (no description available)

Blake McNeill
Product Manager
http://www.SonicLogger.com - Firewall Logging Software for SonicWall and
3Com
http://www.LinkLogger.com - Firewall Logging Software for Linksys, Netgear
and Zyxel




More information about the list mailing list