View Full Version : Anybody familiar with this portscan pattern?
Jooske
March 31st, 2004, 02:10 AM
Hello all,
i see more often this portscan pattern coming, wondering if anybody has an idea which tool could be used:
At exactly the same time a user sends out for instance
from TCP to my TCP
4807 1025
4810 3127
4812 6129
or
4029 1025
4034 3127
4047 6129
or
1617 2745
1619 1025
1621 3127
1622 6129
1624 80
or
4313 2745
4315 1025
4317 3127
4318 6129
4320 80
These are several senders and each packet is at one time, but the different senders are sending at different times.
LowWaterMark
March 31st, 2004, 02:28 AM
Wel, the 3127 and 6129 look very much like this (and there are many other threads about variations on this, so the particulars could well point to a newer variant):
http://www.dslreports.com/forum/remark,9529642~mode=flat
Jooske
March 31st, 2004, 03:35 AM
Started yesterday, or at least it was the first time i was paying attention to that kind of pattern.
Was more looking at all those knocks on ports UDP1026-1029 till i changed the view on IP addresses and saw this pattern on TCP.
RedLobster
March 31st, 2004, 11:24 AM
A Sniffer placed between Server and Client may cause such a pattern. Usually two/three packets....noticed any Fin packets ?
RedLobster
March 31st, 2004, 12:09 PM
The client has a browser and it communications via a network to a sever (connected to a router). The queuing theory model should model the client, server and network. The data to be used for the model comes from a sniffer between the client and the server.
Just an example. Most likely not related
RedLobster
March 31st, 2004, 01:09 PM
Miss Jooske
Read the link posted by LWM. This does appear as just infected computers. Can not see anyone with half a brian using such a routine of sending packets. Even a computer with a Bot would be ID'ed and cleaned.
Off to work...goodday
meneer
March 31st, 2004, 02:34 PM
6129 is used by dameware. Probably a client trying to connect to a dameware server (there was a vulnerability recently: http://www.kb.cert.org/vuls/id/909678
1025 could be Remote Storm trojan
I'd say there's someone using a script to scan a few systems for vulnerabilities. Perhaps the scriptkiddy is spoofing the source ip address (the ' from' address). It doesn;t look like one exploit doing it's job.
You might consider checking the ISP and notifying the isp about this behavioour.
Jooske
March 31st, 2004, 05:17 PM
There were different IP ranges, not all close to each other, say a few in the morning a few in the afternoon, evening, night, etc,
If it was at different times per IP i would have thought of such tries and routers etc, but it is even the exact second, so a range is sent out at a time.
Guess LWM's thread is closest to the answer.
Glad it's all blocked portscans incoming and not outgoing :)
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums