[Snort-users] nmap to port 36688

Mike Cojocea msc39 at ...10075...
Mon Sep 15 12:16:05 EDT 2003


Hello,

Now and then I see nmap scans to port 36688 to a web server running
*NIX.
Only a web server was "targeted". Was puzzles me is that the source
ports are 80, 81 or 83.

Does somebody have an explanation for this scan?

Thanks,
Mike 


09/14-06:36:45.129936  [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
61.232.48.66:80 -> my.net:36688

09/14-06:36:45.414710  [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
202.102.145.229:81 -> my.net:36688

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
 [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS28]
Event ID: 1672     Event Reference: 1672
09/14/03-10:36:45.414710 202.102.145.229:81 -> my.net:36688
TCP TTL:41 TOS:0x0 ID:7715 IpLen:20 DgmLen:40
***A**** Seq: 0x2C6  Ack: 0x0  Win: 0x578  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS28]
Event ID: 1672     Event Reference: 1672
09/14/03-10:36:45.414710 202.102.145.229:81 -> my.net:36688
TCP TTL:41 TOS:0x0 ID:7715 IpLen:20 DgmLen:40
***A**** Seq: 0x2C6  Ack: 0x0  Win: 0x578  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




More information about the Snort-users mailing list