Security Incidents mailing list archives

Re: port scans from local workstation

From: Fernando Cardoso <fernando () BN PT>
Date: Thu, 14 Sep 2000 14:27:23 +0100

Hello all,
      recently I have notice scanlogd entries in my logs
regarding port scans
from one of my local NT workstations. The scans seem very
very random in the
sense that it happens during random times of the day and
scans random ports.
Any Ideas??? I have checked the NT machine for Trojans and
virus and have
come up clean. There is nothing running that should be doing
this and it
just started about a month ago. I have also see scans from other local
address just like this. What do the flags mean?

Sep 12 10:03:25 ns1 scanlogd: From 206.230.66.33 to
206.230.66.1 ports 6128,
11141, 58831, 27971, 52226, 5659, 14038, 43201, 1448, ...,
flags ??rp?u, TOS

[...]

Hi

I'm not familiar with scanlogd format but the flags surely mean TCP flags.
In this case RST, PSH and URG are set. This seems to be some sort of Xmas
scan like the one nmap implements, although, in that case, FIN, URG and PSH
should be the flags in use.

Did you check running processes with a tool like inzider (the lsof of NT
world...)? Grab it in http://ntsecurity.nu/toolbox/inzider/

Fernando

_________________________________________________________
Fernando Cardoso                        Phone:  +351 21 7982186
Network Administrator           Fax:            +351 21 7982185
National Library                        E-mail: fernando () bn pt
Portugal                                PGP ID: 28551CB8

Current thread:

port scans from local workstation Infrastructure Dept. (Sep 13)
- <Possible follow-ups>
- port scans from local workstation Infrastructure Dept. (Sep 14)
- Re: port scans from local workstation Fernando Cardoso (Sep 14)
- Re: port scans from local workstation Bill Royds (Sep 14)