Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: TCP Port 42 port scans? What the heck over...
From: Matt Ostiguy <ostiguy () gmail com>
Date: Mon, 13 Dec 2004 14:33:42 -0500

http://isc.sans.org/port_details.php?port=42&repax=1&tarax=2&srcax=2&percent=N&days=70&Redraw=

Shows a fairly large spike over the weekend. 42 is used for WINS (MS's
netbios name server) replication, and recently the Immunitysec folks
found an exploitable bug in the WINS service. Still, given how few
people one would expect to have that port accessible through a
firewall, or just how low the percentage of windows servers running
WINS is, it is somewhat of a strange target if it is indeed an
attempted WINS exploit.

Matt

On Mon, 13 Dec 2004 06:46:38 -0700, James Lay <jlay () ameriben com> wrote:
Here they be.  ODD.  Anyone else seeing this?

Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00
PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
RES=0x00 SYN URGP=0
Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1
PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00
TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
URGP=0
Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00
PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
RES=0x00 SYN URGP=0
Dec 13 06:41:49 workbox kernel: IN=eth0 OUT=
MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141
DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP
SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00
PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
RES=0x00 SYN URGP=0
Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1
PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00
TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
URGP=0
Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00
PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
RES=0x00 SYN URGP=0
Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1
PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00
TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
URGP=0
Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1
PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00
TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
URGP=0

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault