lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <41C902FBC7F1EA47933D76631B1704EE2F771E@rcertsexch.rcert-s.army.mil>
From: joel.esler at rcert-s.army.mil (Esler, Joel - Contractor)
Subject: TCP Port 42 port scans?  What the heck over...

This port is used in WINS replication.  For more information see Microsoft KB#179442.

-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Maxime Ducharme
Sent: Tuesday, December 14, 2004 10:21 AM
To: Full-Disclosure (E-mail)
Subject: Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...



Hi James,
    I see the same thing here, this IP scanned 3 of our networks (see attached log file).

TCP ID is always 57370
Source port : 6000
Dest port : 42

Nothing is running on tcp port 42 here.

I'd be interested in knowing what it is too, I'll open
a netcat listener at my home and let you know if I catch anything.

I also sent a notice to 131.252.0.0/16 tech handle in
ARIN's database, and they replied me 4h later.

Seems many other networks were hit byt this IP : http://www.mynetwatchman.com/LID.asp?IID=140488860

Have a nice day

Maxime Ducharme
Programmeur / Sp?cialiste en s?curit? r?seau

----- Original Message ----- 
From: "James Lay" <jlay@...riben.com>
To: "Full-Disclosure (E-mail)" <full-disclosure@...ts.netsys.com>
Sent: Monday, December 13, 2004 8:46 AM
Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over...


> Here they be.  ODD.  Anyone else seeing this?
>
> Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 
> PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 
> TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 
> WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web1 
> drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 
> DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP 
> SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0
> Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
> PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00
> PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
> RES=0x00 SYN URGP=0
> Dec 13 06:41:49 workbox kernel: IN=eth0 OUT=
> MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141
> DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP
> SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0
> Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
> PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00
> PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
> RES=0x00 SYN URGP=0
> Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1
> PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00
> TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
> URGP=0
> Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0
> PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00
> PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535
> RES=0x00 SYN URGP=0
> Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1
> PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00
> TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
> URGP=0
> Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1
> PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00
> TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
>
>
> James Lay
> Network Manager/Security Officer
> AmeriBen Solutions/IEC Group
> Deo Gloria!!!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ