Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 6635

From: "Matthew Leeds" <mleeds () theleeds net>
Date: Fri, 21 Sep 2001 09:45:32 -0700
Most likely the Lion worm. Take a look at:

http://www.sans.org/y2k/041001.htm
and
http://www.sans.org/y2k/040301-1430.htm

for similar activity.

---Matthew

*********** REPLY SEPARATOR  ***********

On 9/21/2001 at 8:27 AM Craig, Scott wrote:


We received a very fast scan (probe) for port 6635 last night. I did a
search through the messages on the incidents.org mailing list and didn't
see
any conclusive findings as to the tools being used or the purpose. Does
anyone have any further information on this yet?

The probe occurred on 9/20/01 at 22:16 Eastern time. All within the same
minute, lasting only 2 seconds.

                      Source                            Dest.
Source IP              Port            Destination IP's          Port
Protocol
---------         ------      ------------------  ----  --------
216.89.160.33  6635            MYIP.xxx.xxx.1-254  6635  TCP


Sorry, but I don't have a copy of the raw packet for display to determine
any of the flags being used.

--

DNS lookup done this morning came back to:
flare-raq1.flarenetworks.com


SAVVIS Communications (NETBLK-SAVVIS7) SAVVIS7    216.88.0.0 -
216.91.255.255
Flare Interactive (NETBLK-SAVV-FLAREINTER2) SAVV-FLAREINTER2

216.89.160.0 - 216.89.161.255


Server used for this query: [ whois.arin.net ]

  Flare Interactive (NETBLK-SAVV-FLAREINTER2)
  233 Linden Street
  Fort Collins, CO 80524
  US

  Netname: SAVV-FLAREINTER2
  Netblock: 216.89.160.0 - 216.89.161.255
  Maintainer: FLAR

  Coordinator:
     MacDonald, Kyle  (KM372-ARIN)  kylemac () flarenetworks com
     970-470-3300

  Record last updated on 10-Apr-2000.
  Database last updated on 20-Sep-2001 23:16:45 EDT.

==========

Server used for this query: [ whois.arin.net ]

  SAVVIS Communications (NETBLK-SAVVIS7)
  717 Office Parkway
  Creve Coeur, MO 63141
  US

  Netname: SAVVIS7
  Netblock: 216.88.0.0 - 216.91.255.255
  Maintainer: SAVV

  Coordinator:
     SAVVIS A Bridge Company  (ZS36-ARIN)  ipadmin () savvis net
     314-468-7000

  Domain System inverse mapping provided by:

  NS1.SAVVIS.NET              209.16.211.42
  NS2.SAVVIS.NET              204.194.10.206

  ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

  Record last updated on 10-Mar-2000.
  Database last updated on 20-Sep-2001 23:16:45 EDT.


Scott




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: