[Snort-users] port 1?

Max Vision vision at ...4...
Tue Jan 2 13:03:00 EST 2001


It's a common way to scan for IRIX machines.  AFAIK Irix are the only OS
with tcpmux listening by default.

It may be something else, new trojan or something, but I have seen (and
used) this technique before.  However, the source port should be
irrelevent so maybe you should look into it - did the source IP come back
and try anything else?

Max

On Tue, 2 Jan 2001, robin stubbs wrote:
> I note the appearance of tcp scans from port 1 to port 1 across all
> machines
> in our subnet on Jan 1. Is this just a happy new year message or is it a
> new
> vulnerability? :-)
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>





More information about the Snort-users mailing list