Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Port 6588 Probes from SA

From: BParis () sorrentolactalis com
Date: Sun, 21 Apr 2002 15:39:48 -0400
On April 10th, my home computer, connected to Adelphia cablemodem, started
getting probed for port 6588. Wondering if it was just my machine being
trageted or if the block my machine resided on was being probed, I forced
an address change (swapped the nic). The probes still continued.

I realize that 6588 is used by AnalogX proxy software, but these probes, 17
in all so far, originated in Saudia Arabia. Here is the list of offending
IP's;

212.70.48.99
212.162.132.182
213.165.39.212
212.100.205.73
212.70.57.253
212.162.135.84
217.165.76.52
212.70.38.196
212.71.54.230
212.102.6.240
212.70.62.89
213.238.30.174
212.70.58.45
212.162.135.181
212.93.223.95
212.70.46.6
212.93.212.114

Here is the nmap output from the latest offender;

Starting nmapNT V. 2.53 SP1 by ryan () eEye com
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodor () insecure org  ( www.insecure.org/nmap/ )

Host  (212.70.48.99) appears to be up ... good.
Initiating SYN half-open stealth scan against  (212.70.48.99)
Adding TCP port 2002 (state open).
Adding TCP port 2000 (state open).
Adding TCP port 59 (state open).
The SYN scan took 116 seconds to scan 1523 ports.
For OSScan assuming that port 59 is open and port 1 is closed and neither
are firewalled
For OSScan assuming that port 59 is open and port 1 is closed and neither
are firewalled
Interesting ports on  (212.70.48.99):
(The 1517 ports scanned but not shown below are in state: closed)
Port       State       Service
59/tcp     open        priv-file
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
2000/tcp   open        callbook
2002/tcp   open        globe

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=115382 (Good luck!)

Sequence numbers: 7806EB74 780DAAE3 7818BC36 7821C867 782D94F9 783792E6
Remote operating system guess: Windows 2000 Professional, Build 2128

Nmap run completed -- 1 IP address (1 host up) scanned in 150 seconds


I'm scratching my head at this point...  any ideas?


William S. Paris
Telecommunication / Network Analyst
Sorrento Lactalis Inc.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: