[unisog] Odd scan - ports 57 and 80
conormc at uchicago.edu
Wed Sep 18 17:46:26 GMT 2002
Anderson Johnston once said:
> This is from the daily nastygrams we generate. We got a scan of port 80
> and of port 57 (Mail Transfer Protocol - RFC 780). Anybody seen anything
> like this or have any idea why someone might want to scan these particular
We've been seeing port 57 in combination with scans for http and ftp for
a few weeks now. I have no idea why they're scanning for 57 as none of
the hosts on our network seem to respond.
Also, most, if not all, of the 57 scans that we are seeing are coming
from Deutsche Telekom.
> In this case, we can identify the IP's users as well as their ISP, but
> neither group may know that this is going on.
If one of our machines starts scanning outward for 57 I'll definitely try
to take a look at it to see what I can find.
> ---------- Forwarded message ----------
> On 17-sep-2002 at approximately 13:41 Eastern time (GMT-4) we
> detected a SYN scan of ports 57,80 on several hosts on our campus network from
> source ip 18.104.22.168. This ip is registered to:
> Southwestern Bell Internet Services SBIS-BLK-2 (NET-216-60-0-0-1)
> 22.214.171.124 - 126.96.36.199
> Border Network ISP-BORDERNET3 (NET-216-60-56-0-1)
> 188.8.131.52 - 184.108.40.206
> # ARIN Whois database, last updated 2002-09-17 19:05
> # Enter ? for additional hints on searching ARIN's Whois database.
> It is possible that a system in your domain has been compromised or is
> otherwise being misused. We appreciate any action that you may take to
> prevent such activity in the future. We would also appreciate any
> information that you may discover in the course of your investigations
> regarding any problems or vulnerabilities in our systems.
Conor McGrath Phone: (773)702-7611
Network Security Officer Fax: (773)834-4888
Network Security Center, The University of Chicago
More information about the unisog