Anybody familiar with this portscan pattern?

Discussion in 'other security issues & news' started by Jooske, Mar 31, 2004.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello all,
    i see more often this portscan pattern coming, wondering if anybody has an idea which tool could be used:
    At exactly the same time a user sends out for instance
    from TCP to my TCP
    4807 1025
    4810 3127
    4812 6129
    or
    4029 1025
    4034 3127
    4047 6129
    or
    1617 2745
    1619 1025
    1621 3127
    1622 6129
    1624 80
    or
    4313 2745
    4315 1025
    4317 3127
    4318 6129
    4320 80

    These are several senders and each packet is at one time, but the different senders are sending at different times.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Started yesterday, or at least it was the first time i was paying attention to that kind of pattern.
    Was more looking at all those knocks on ports UDP1026-1029 till i changed the view on IP addresses and saw this pattern on TCP.
     
  4. RedLobster

    RedLobster Guest

    A Sniffer placed between Server and Client may cause such a pattern. Usually two/three packets....noticed any Fin packets ?
     
  5. RedLobster

    RedLobster Guest

    The client has a browser and it communications via a network to a sever (connected to a router). The queuing theory model should model the client, server and network. The data to be used for the model comes from a sniffer between the client and the server.

    Just an example. Most likely not related
     
  6. RedLobster

    RedLobster Guest

    Miss Jooske

    Read the link posted by LWM. This does appear as just infected computers. Can not see anyone with half a brian using such a routine of sending packets. Even a computer with a Bot would be ID'ed and cleaned.
    Off to work...goodday
     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    6129 is used by dameware. Probably a client trying to connect to a dameware server (there was a vulnerability recently: http://www.kb.cert.org/vuls/id/909678
    1025 could be Remote Storm trojan

    I'd say there's someone using a script to scan a few systems for vulnerabilities. Perhaps the scriptkiddy is spoofing the source ip address (the ' from' address). It doesn;t look like one exploit doing it's job.
    You might consider checking the ISP and notifying the isp about this behavioour.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There were different IP ranges, not all close to each other, say a few in the morning a few in the afternoon, evening, night, etc,
    If it was at different times per IP i would have thought of such tries and routers etc, but it is even the exact second, so a range is sent out at a time.
    Guess LWM's thread is closest to the answer.
    Glad it's all blocked portscans incoming and not outgoing :)
     
Thread Status:
Not open for further replies.