Security Incidents mailing list archives
Re: Unusual port scan?
From: Ed Budd <ebudd () grokking org>
Date: Mon, 29 Dec 2003 08:02:42 -0500
This output doesn't indicate what tcp flags are set which I think is pretty much critical to understanding what's going on. I'd first determine whether these are syn packets trying to initiate a connection or whether they're acks in response to something inside your perimeter. Check your outgoing logs for http traffic from one of your hosts with dynamic ports 1800,1802. If you have any windows boxes with automatic updating turned on this might be just the return traffic from them (I believe WU service uses http and https ports for this purpose). If it is that service, you don't need any browser windows open; it happens in the background. Use snort/ethereal/tcpdump and capture some packets to be sure... Hope this helps, EB On 28 Dec 2003 22:59:12 -0000 "J Bailes" <jonas2 () knology net> wrote:
My router logs on my personal/home machine just started receiving with these scans: 12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 The scans supposedly came from: [Query: 81.52.250.105, Server: whois.ripe.net] % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 81.52.248.0 - 81.52.250.127 netname: AKAMAI-FT-US descr: Akamai Technologies - US machines connected to FT AS5511 country: US admin-c: NARA1-RIPE tech-c: NARA1-RIPE tech-c: NF1714-RIPE status: ASSIGNED PA mnt-by: FT-BRX changed: gestionip.ft () francetelecom com 20030321 source: RIPE route: 81.52.240.0/20 descr: France Telecom descr: Opentransit origin: AS5511 mnt-by: FT-BRX changed: gestionip.ft () francetelecom com 20030214 source: RIPE role: Network Architecture Role Account address: Akamai Technologies address: 500 Technology Square address: Cambridge, MA 02139 phone: +1-617-250-4768 e-mail: ip-admin () akamai com admin-c: NF1714-RIPE admin-c: JP1944-RIPE tech-c: NF1714-RIPE tech-c: JP1944-RIPE nic-hdl: NARA1-RIPE notify: ip-admin () akamai com changed: ip-admin () akamai com 20021025 source: RIPE person: Noam Freedman address: Akamai Technologies address: 500 Technology Sq address: Cambridge, MA 02139 phone: +1 617 250 4768 e-mail: noam () akamai com nic-hdl: NF1714-RIPE notify: noam () akamai com changed: noam () akamai com 20021025 source: RIPE [End of Data] The scan seems to be looking for: ansys-lm - ANSYS-License manager for port 1800 concomp1 - ConComp1 for port 1802 According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be scan for an open proxy used for SSH? I dunno. I'm not familiar with these services (nor am I running them). I did not have any browser windows open at the time of the scan. So, out of nowhere, why would an Akamai box scan me for these services? Is anybody else getting this kind of traffic? --------------------------------------------------------------------- --------------------------------------------------------------------- -------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)