| Security scan 28745 - 28747 The Cox security group scanned us this morning for just 3 TCP ports: 28745, 28746, and 28747.
I've searched for various virus & trojan data on those ports but can't find anything. Is there something unique to the Cox network going around? Can anyone shed some light on what were looking for? |
|
| They are looking to see if your system is patched. They are concerned with a microsoft bug. The fix was posted on the 10th of feb. There tech sent me this link
»www.microsoft.com/technet/securi···007.mspx |
|
| Thanks! But I don't see any relationship of the Microsoft advisory to those ports.
incidents.org doesn't show much activity happening on those ports. Nothing seems to use them on a normal basis.
I don't know how Cox's security could determine the application of any patch if there is never a process that would answer the TCP connection attempt. I was thinking (guessing) they may be trying to determine who was using routers & firewall defenses by looking for 'closed port' replies vs. unanswered (aka "stealth") to their probes.
It would be cool if we could get some benefit (3000/384 vs. 3000/256) as long as we continue to pass an occasional security audit. Oh ... maybe that was just a dream. |
|
 THZNDUPDeorum Offensa Diis CuraePremium
join:2003-09-18
Lard
kudos:2
1 edit | reply to inTulsa
Usually I just ignore them unless I pick something up from the Security Forum, etc, etc. I haven't seen any warnings yet for those ports either. DShields shows an increase in records for those ports but it's probably due to Cox Security. 
Mine today were ports 26050, 28014, 28161, 28388 let's try LOCAL ports 82, 28745, 28746, and 28747 from the same IP as yours came from.
NOTE TO SELF-PUT NMAP, SUPERSCAN, ETC AWAY FOR A WHILE.
--
one should not increase, beyond what is necessary, the number of entities required to explain anything |
|
1 edit | They've either lost their minds, bugged up their own scanner code, or they're up to something interesting. I hope they're smarter than me because none of that makes sense. |
|
THZNDUPDeorum Offensa Diis CuraePremium
join:2003-09-18
Lard
kudos:2 | reply to inTulsa
quote:
They've either lost their minds, bugged up their own scanner code, or they're up to something interesting. I hope they're smarter than me because none of that makes sense.
Or all three. At least they seem to be breaking the scans up and not just hammering 1 address at a time
How about on the 8th? I got 63808, 63809 and 65506.
Fortunately I haven't bugged up my scanners, just my posts about them. I was breaking out port lists for SuperScan and realized I was quoting source ports not local.
--
one should not increase, beyond what is necessary, the number of entities required to explain anything |
|
| reply to inTulsa
said by inTulsa:
I've searched for various virus & trojan data on those ports but can't find anything. Is there something unique to the Cox network going around? Can anyone shed some light on what were looking for?
63808, 63809 and 65506 are open proxy ports for a trojan called "phatbot." 28745-28747 were reported to be open proxy ports used by a trojan associated with a particular spammer.
--
The Cox Abuse Team |
|
| My thanks to you & your group for looking out for us.
PS, find & kill the spammer. |
|
