Re: port scans from local workstation

[Bill Royds <Bill_Royds () PCH GC CA>]

That would be the source trying to start a ftp-data session. \
FTP data sesssions are initiated by the server using source port 20 (or others)
with the clinet listening on a high number port.

Your IDS is not smart enough to know the FTP protocol and is catching these
conversations.
To avoid this, upgrade the IDS or ask the clients to use Passive FTP (turn the
data around so client intiiates and server listens).




"Infrastructure Dept." <infrastructure () narellan net> on 09/14/2000 09:17:40 AM

Please respond to infrastructure () narellan net



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: port scans from local workstation






Follow up to my original post.
I see these scans happening right after accountable FTP sessions. The scan
appears to start about one minute after the FTP session is opened. This is
happening from all my workstations and off site workstations using a mixture
of FTP clients. What could be triggering this?

Aug 11 10:24:50 ns1 ftpd[644]: FTP LOGIN FROM 209.23.33.114 [209.23.33.114]
<SNIP>
Aug 11 10:25:40 ns1 scanlogd: From 209.23.33.114 to 206.230.66.1 ports 3387,
23115, 19948, 42708, 10511, 56523, 33709, 50899, 24634, ..., flags ??r??u,
TTL 117, started at 10:25:36

Mr. I.
Network Engineer / Ops Manager
Narellan (NorthEast) Inc.