Re: Exploit on tcp/4128?

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <FJEGKKBKOEFBAAINEADJKEJKEKAA.baldwinL () mynetwatchman com>

Lawrence,

Just out of curiosity, if this host is "scanning the world" for this port, why are you scanning it?  Usually, when a 
host scans, it issues queries to the destination port (in this case, 4128). 

I think when folks have referred to using netcat in cases such as this in the past, what they've referred to is using 
netcat in listening mode to capture packets, so that when you ask what the scan is looking for, one has actual data to 
look at.  Over on incidents.org, the analysts are always asking for packet data when someone reports an increase in 
activity on any particular port.  Doing this would probably be of greater benefit than firing netcat (I would've used 
nmap, as you would have some data regarding packets sent to the port and responses) at it.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com


> Anyone know what this is:
>
> D:\nc>nc -n -v 64.132.205.69 4128
> (UNKNOWN) [64.132.205.69] 4128 (?) open
>
> 'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
> 'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
> 'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
> 'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
>
> 'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
> 'ÖP?
>   ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet    ^C
>
>
> The same host above is scanning the *world* for this port:
>
> http://www.mynetwatchman.com/LID.asp?IID=146159119
>
> Regards,
>
> Lawrence Baldwin
> myNetWatchman.com