Security Incidents mailing list archives

Re: Unusual port scan?

From: Ed Budd <ebudd () grokking org>
Date: Mon, 29 Dec 2003 08:02:42 -0500

This output doesn't indicate what tcp flags are set which I think is
pretty much critical to understanding what's going on. I'd first
determine whether these are syn packets trying to initiate a connection
or whether they're acks in response to something inside your perimeter.

Check your outgoing logs for http traffic from one of your hosts with 
dynamic ports 1800,1802. If you have any windows boxes with automatic
updating turned on this might be just the return traffic from them (I
believe WU service uses http and https ports for this purpose). If it is
that service, you don't need any browser windows open; it happens in the
background. Use snort/ethereal/tcpdump and capture some packets to be
sure...

Hope this helps,

EB



On 28 Dec 2003 22:59:12 -0000
"J Bailes" <jonas2 () knology net> wrote:



My router logs on my personal/home machine just started receiving with
these scans:
 
12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800


The scans supposedly came from:

[Query: 81.52.250.105, Server: whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 81.52.248.0 - 81.52.250.127
netname: AKAMAI-FT-US
descr: Akamai Technologies - US machines connected to FT AS5511
country: US
admin-c: NARA1-RIPE
tech-c: NARA1-RIPE
tech-c: NF1714-RIPE
status: ASSIGNED PA
mnt-by: FT-BRX
changed: gestionip.ft () francetelecom com 20030321
source: RIPE
route: 81.52.240.0/20
descr: France Telecom
descr: Opentransit
origin: AS5511
mnt-by: FT-BRX
changed: gestionip.ft () francetelecom com 20030214
source: RIPE
role: Network Architecture Role Account
address: Akamai Technologies
address: 500 Technology Square
address: Cambridge, MA 02139
phone: +1-617-250-4768
e-mail: ip-admin () akamai com
admin-c: NF1714-RIPE
admin-c: JP1944-RIPE
tech-c: NF1714-RIPE
tech-c: JP1944-RIPE
nic-hdl: NARA1-RIPE
notify: ip-admin () akamai com
changed: ip-admin () akamai com 20021025
source: RIPE
person: Noam Freedman
address: Akamai Technologies
address: 500 Technology Sq
address: Cambridge, MA 02139
phone: +1 617 250 4768
e-mail: noam () akamai com
nic-hdl: NF1714-RIPE
notify: noam () akamai com
changed: noam () akamai com 20021025
source: RIPE
[End of Data]


The scan seems to be looking for:
ansys-lm - ANSYS-License manager for port 1800
concomp1 - ConComp1 for port 1802

According to this: http://aaron.boim.com/unix/sshTunnel.html , it may
be scan for an open proxy used for SSH? I dunno.

I'm not familiar with these services (nor am I running them).  I did
not have any browser windows open at the time of the scan.  So, out of
nowhere, why would an Akamai box scan me for these services?  Is
anybody else getting this kind of traffic?


---------------------------------------------------------------------
---------------------------------------------------------------------
-------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)