The interesting thing to me is the change in pattern I've seen. Port
scans for port 1080 at my location are quite common. I've got logs back
90 days; Through the end of December I only see one scan for port
119. I've seen three separate incidents since the 1st of January.
On Mon, 3 Jan 2000, Robert Graham wrote:
> Port 119 is used by NNTP (USENET news:).
>
> Since USENET is used for lots of illegal/fringe activities, people hunt for
> servers that they can post anonymously through, or download content from.
> Several websites maintain lists of open NNTP servers found through such
> scanning.
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS_at_securityfocus.com]On
> Behalf Of Dariusz Zmokly
> Sent: Monday, January 03, 2000 3:33 AM
> To: INCIDENTS_at_securityfocus.com
> Subject: port 119
>
>
> hi !
>
> I wonder what does it mean when someone wants to connect to my machine on
> port 119. Is there any software that could do it or is it a scan ?
>
> Jan 2 01:27:41 rh-master portsentry[444]: attackalert: SYN/Normal scan from
> host: jammed.com/165.227.120.19 to TCP port: 119
> Jan 3 09:22:52 rh-master portsentry[444]: attackalert: SYN/Normal scan from
> host: twhou-220-35.ev1.net/207.218.220.35 to TCP port: 119
Received on Jan 05 2000
Intro
