[Dshield] Portscan pattern

Bill McCarty bmccarty at pt-net.net
Sun Mar 14 04:50:38 GMT 2004


Hi Korhonen and all,

--On Saturday, March 13, 2004 9:01 PM +0200 Korhonen Juuso 
<juuso.korhonen at camline.fi> wrote:

> Can somebody tell me is it a scanning tool or a computer with virus with a
> scan pattern like this:
>
> Scanned ports: 2745, 1025, 135, 445, 6129

I'm seeing a variety of related probes:

Count Port List
----- ---------------------------------------------------------------------
    2 [ tcp/135, tcp/139, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    1 [ tcp/135, tcp/445, tcp/1025, tcp/2745 ]
    1 [ tcp/135, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    1 [ tcp/135, tcp/2745 ]
    2 [ tcp/139, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    7 [ tcp/139, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    3 [ tcp/139, tcp/1025, tcp/2745, tcp/6129 ]
    1 [ tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    4 [ tcp/1025, tcp/2745 ]
    2 [ tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    5 [ tcp/2745 ]
    7 [ tcp/139, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    5 [ tcp/2745 ]
    4 [ tcp/1025, tcp/2745 ]
    3 [ tcp/139, tcp/1025, tcp/2745, tcp/6129 ]
    2 [ tcp/135, tcp/139, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    2 [ tcp/139, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    2 [ tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    1 [ tcp/135, tcp/445, tcp/1025, tcp/2745 ]
    1 [ tcp/135, tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]
    1 [ tcp/135, tcp/2745 ]
    1 [ tcp/445, tcp/1025, tcp/2745, tcp/3127, tcp/6129 ]

Several folks have suggested that tcp/2745 is used by B[e]agle: 
<http://isc.incidents.org/port_details.html?port=2745&repax=1&tarax=2&srcax
=2&percent=N&days=70>.

Cheers,

---------------------------------------------------
Bill McCarty




More information about the list mailing list