[unisog] Scans on tcp/41523
mwj at doc.ic.ac.uk
Mon Feb 14 16:25:18 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 14 Feb 2005, Keith Schoenefeld wrote:
> I'm not sure what's going on yet, but I've started picking up a
> reasonably large number of scans on port tcp/41523 from off campus. The
> Internet Storm Center at SANS (isc.sans.org) has a cool tool where you
> can look up a port and see if other people are picking up scans on
> specific ports. On Feb. 12th, there were 144 total scans reported to
> isc on port 41523. For today, and total of 46,000 scans had been
> reported (a 31,844% increase if my math is correct). Something is up.
> Anyone know of any new worm that creates a backdoor on tcp/41523?
One of our sensors heard a sequential scan (and a bit more) from one
source IP in the UK targeting TCP 41523 between 0400 and 0500 GMT today.
Nothing since though, and just a single source, so not too sure what
this suggests. This is the only time our sensors (which have logged for
about the last three weeks) have seen any interest in that destination
port however, so indeed someone may be looking for something new.
Matt Johnson <mwj at doc.ic.ac.uk>
Junior Systems Programmer
Computing Support Group
"If you cross a computer with Nigel Mansell, you get a system that
crashes at over 200 miles an hour."
- D. J. Fleming
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the unisog