[NCLUG] poking port 109

[M Butcher]

Yeah, slow scans are SOP for hackers (man nmap), but the fact that it is 
looking on port 109 indicates that it's scanning for a pretty specific 
vulnerability. 109 (in my /etc/services) is mapped to POP2. Maybe they are 
looking for servers running POP2 mail services.

On Sunday 02 December 2001 12:02, you wrote:
> > hey folks,
> >
> >  starting yesterday morning, i've received a packet about every twenty
> > minutes checking out port 109 on incrementing ip's. ie, the first packet
>
> hit
>
> > .1 and about twenty minutes later one came in for .2 and then twenty
>
> minutes
>
> > later, .3 and so on. they're all coming from the same ip address.
> >
> >  it's up around .83 right now.
> >
> >  i block these at my border router, so i really don't care, but this one
>
> has
>
> > intrigued me. i've never really watched one this slow and deliberate
>
> before.
>
> > usually, a couple packets for a couple different ip's come in all at the
> > same time and then i never hear from that scanner again. have i just not
> > been paying attention enough before, and this is common?
> >
> >  what would y'all do if you saw this on your own network?
> >
> >  there's so much scanning going on these days that i don't even complain
>
> to
>
> > upstreams anymore. do y'all? usually, i just deny the packets at the
>
> router
>
> > and not even log them.
>
> When I was doing a paper for a networking class, I found an interesting
> site in Israel that was run by a geek in Moscow.  Although it was
> ostensibly about network security, it read more like a cracking cookbook. 
> He had a reference that said those who are being 'really serious' might 
> send only one packet every two weeks to avoid detection thresholds.  Sounds
> like someone's trying harder than the usual cracker.
>
> Frank Whiteley
>
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug