RE: Outbound Port scans, ports 3800+

["some guy" <someguy_555 () hotmail com>]

Hey,
I have had a situation like this before. For me it was the case that my 
firewall wasn't tracking connections properly (stateful tracking?) , and 
hence it was resending data on various ports trying to get through, but it 
was being blocked. In my case it was DNS requests that were not getting 
through. I guess you should check on the computers that are getting scanned 
whether any internet service is not working and also have a look at the 
actual data contained in the rejected packets.
Hope that helps.
-Scott


> From: Meidinger Chris <chris.meidinger () badenit de>
> To: 'Dean Saxe' 
> <Dean.Saxe () magnetbanking com>,security-basics () securityfocus com
> Subject: RE: Outbound Port scans, ports 3800+
> Date: Wed, 20 Aug 2003 10:17:39 +0100
>
> Can you find the process that is doing the scanning, i.e. owns the local
> ports?
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Original Message-----
> From: Dean Saxe [mailto:Dean.Saxe () magnetbanking com]
> Sent: Tuesday, August 19, 2003 9:08 PM
> To: security-basics () securityfocus com
> Subject: Outbound Port scans, ports 3800+
>
>
> I have a server which has recently started scanning two IP addresses on
> ports 3800 and higher.  I can find no information online regarding any 
> worms
> or any malware which may be causing these port scans to occur.  Is anyone
> aware of what may be causing this behavior?
>
> Thanks in advance for your help.
>
> -dhs
>
>
> Dean H. Saxe
> Senior Software Engineer
> Web Application Security Team Lead
> Magnet Communications
> Dean.Saxe () magnetbanking com
> 404.592.8515
>
> CONFIDENTIALITY NOTICE:
> This message and any attachment is solely for the use of the individual or
> entity to which this message is addressed and contains information that is
> confidential. If the reader of this message is not the intended recipient,
> you are hereby notified that any review, retransmission, disclosure,
> copying, distribution or the taking of any action in reliance on the
> contents of this communication by persons or entities other than the
> intended recipient is strictly prohibited. If you have received this email
> in error, please contact the sender and delete the material from any
> computer.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

_________________________________________________________________
ninemsn Extra Storage is now available. Get larger attachments - 
send/receive up to 3MB attachments (up to three times more per e-mail). 
Click here  http://join.msn.com/


---------------------------------------------------------------------------
----------------------------------------------------------------------------