[unisog] Scans on tcp/41523

Matt Johnson mwj at doc.ic.ac.uk
Mon Feb 14 16:25:18 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 14 Feb 2005, Keith Schoenefeld wrote:

> I'm not sure what's going on yet, but I've started picking up a
> reasonably large number of scans on port tcp/41523 from off campus.  The
> Internet Storm Center at SANS (isc.sans.org) has a cool tool where you
> can look up a port and see if other people are picking up scans on
> specific ports.  On Feb. 12th, there were 144 total scans reported to
> isc on port 41523.  For today, and total of 46,000 scans had been
> reported (a 31,844% increase if my math is correct).  Something is up.
> Anyone know of any new worm that creates a backdoor on tcp/41523?

One of our sensors heard a sequential scan (and a bit more) from one 
source IP in the UK targeting TCP 41523 between 0400 and 0500 GMT today. 
Nothing since though, and just a single source, so not too sure what 
this suggests. This is the only time our sensors (which have logged for 
about the last three weeks) have seen any interest in that destination 
port however, so indeed someone may be looking for something new.

Matt

- -- 
Matt Johnson <mwj at doc.ic.ac.uk>
Junior Systems Programmer
Computing Support Group

"If you cross a computer with Nigel Mansell, you get a system that
crashes at over 200 miles an hour."
  - D. J. Fleming
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCENDxNHkw5OSqNcERApmJAJ9b/Xv3QhTGJiPfbSj8uerKiL4CNgCeKL2G
CArUTj0AuVPV0CA0MhSJ1FU=
=8x2L
-----END PGP SIGNATURE-----



More information about the unisog mailing list