Snort mailing list archives

Lots of outgoing portscans

From: Richard Gaywood <rich () fscked co uk>
Date: Wed, 22 Oct 2003 08:28:49 +0100

Hello list! Please forgive me posting without lurking first but I'm
slightly panicked about this.

I have lots and lots of outgoing portscans in my snort logs. Googling
around has suggested they are probably a false positive, related to
opening webpages or DNS or the like; however, I'm worried about these
because they are addressed to lots of closely-related IPs on port 7,
none of which seem to have a reverse DNS entry.

Here's all the portscans out of my current log:

arawn:/var/log/snort# grep -A 1 Portscan alert | grep -E ">"
10/22-06:26:10.351367 10.0.1.1:41700 -> 66.151.150.23:7
10/22-06:27:11.250670 10.0.1.1:41717 -> 66.151.150.23:7
10/22-06:33:05.680585 10.0.1.1:41748 -> 195.8.69.184:110
10/22-06:39:04.657120 10.0.1.1:41775 -> 195.8.69.217:110
10/22-06:56:45.040775 10.0.1.1:60127 -> 62.24.228.9:53
10/22-07:00:03.385067 10.0.1.1:800 -> 10.0.2.1:2049
10/22-07:06:10.873928 10.0.1.1:41893 -> 66.151.150.23:7
10/22-07:08:41.380060 10.0.1.1:41912 -> 66.151.150.25:7
10/22-07:14:36.747681 10.0.1.1:41963 -> 66.151.150.17:7
10/22-07:20:39.484445 10.0.1.1:42013 -> 212.159.10.1:110
10/22-07:21:50.369177 10.0.1.1:42028 -> 66.151.150.16:7
10/22-07:26:24.121002 10.0.1.1:42043 -> 66.151.150.25:7
10/22-07:38:13.784414 10.0.1.1:42106 -> 66.151.150.25:7
10/22-07:44:09.269896 10.0.1.1:42138 -> 66.151.150.31:7
10/22-07:50:02.058749 10.0.1.1:42181 -> 66.151.150.23:7
10/22-07:55:57.510212 10.0.1.1:42211 -> 66.151.150.31:7
10/22-08:00:08.139381 10.0.1.1:42242 -> 65.54.228.253:443
10/22-08:01:55.349904 10.0.1.1:42262 -> 66.151.150.31:7
10/22-08:02:27.344184 10.0.1.1:42299 -> 66.151.150.31:7
10/22-08:07:49.892392 10.0.1.1:42323 -> 66.151.150.25:7
10/22-08:09:08.090418 10.0.1.1:42379 -> 194.109.137.218:80
10/22-08:10:42.448357 10.0.1.1:42379 -> 194.109.137.218:80
10/22-08:13:49.046051 10.0.1.1:42402 -> 66.151.150.31:7
10/22-08:15:58.498816 10.0.1.1:42445 -> 208.185.25.38:21

The machine is a web and email server, and no web browsing happens off
it, nor does it have a web cache. It does act as a DNS proxy for my
network so perhaps that is the explanation, but all that port 7 activity
looks rather dodgy to me. Anyone offer me a benign explanation before I
have to take the server offline?

-- 
Richard Gaywood <rich () fscked co uk>



-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Lots of outgoing portscans Richard Gaywood (Oct 22)
- Re: Lots of outgoing portscans Richard Gaywood (Oct 22)
- Re: Lots of outgoing portscans Matt Kettler (Oct 22)