[Dshield] 4751/tcp Port Scans...

Al Reust areust at comcast.net
Thu Apr 1 04:54:26 GMT 2004


Dusty

Unplug them at the switch and have them scanned for Beagle.t or Beagle.v

I would say leave them unplugged for a couple of weeks for good measure 
while they think about clicking on things they should not click on. Or make 
them write on the Blackboard 500 times, "I will not click on things that I 
do not know about."

4751 is the backdoor port, only more trouble and it should be blocked at 
the router/firewall! But then Most ports above 1024 should be blocked and 
the ones that are necessary would then be opened, they would have a valid 
reason. Not to mention most below 1024 should also be blocked.

That is a topic that has been discussed a couple of times...

Al


At 03:39 PM 3/31/2004 -0600, you wrote:
>After an off-campus complaint I noticed several of our hosts scanning for 
>port 4751/tcp.  I assume this is some type of Bagle Variant... Thoughts?
>
>
>-Dusty
>
>
>*-----------------
>15:22:54.648856 131.204.x.x.3524 > 131.254.78.28.4751: S 
>607467045:607467045(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
>0x0000   4500 0030 9d1a 4000 7e06 9647 83cc xxxx        E..0.. at .~..G..s.
>0x0010   83fe 4e1c 0dc4 128f 2435 3625 0000 0000        ..N.....$56%....
>0x0020   7002 2000 1f0c 0000 0204 05b4 0101 0402        p...............
>15:22:54.648931 131.204.x.x.3526 > 131.254.78.30.4751: S 
>607467085:607467085(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
>0x0000   4500 0030 9e1a 4000 7e06 9545 83cc xxxx        E..0.. at .~..E..s.
>0x0010   83fe 4e1e 0dc6 128f 2435 364d 0000 0000        ..N.....$56M....
>0x0020   7002 2000 1ee0 0000 0204 05b4 0101 0402        p...............
>15:22:54.649025 131.204.x.x.3554 > 131.254.78.53.4751: S 
>607467582:607467582(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
>0x0000   4500 0030 9f1a 4000 7e06 942e 83cc xxxx        E..0.. at .~.....s.
>0x0010   83fe 4e35 0de2 128f 2435 383e 0000 0000        ..N5....$58>....
>0x0020   7002 2000 1cbc 0000 0204 05b4 0101 0402        p...............
>15:22:54.649098 131.204.x.x.3557 > 131.254.78.55.4751: S 
>607467623:607467623(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
>0x0000   4500 0030 a01a 4000 7e06 932c 83cc xxxx        E..0.. at .~..,..s.
>0x0010   83fe 4e37 0de5 128f 2435 3867 0000 0000        ..N7....$58g....
>0x0020   7002 2000 1c8e 0000 0204 05b4 0101 0402        p...............
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list