persistent 5-port port scans

Discussion in 'other firewalls' started by overboard, May 14, 2004.

Thread Status:
Not open for further replies.
  1. overboard

    overboard Registered Member

    Joined:
    Jul 11, 2003
    Posts:
    12
    Does anyone know offhand what it is that's been active for about a month doing port scans, several scans in a minute or so, exactly five ports? A different set of five ports in each episode. This isn't a hazard -- I'm just curious.
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Do the scans come from websites you recently visited? If so, then it may be that your network connection was not cleanly closed (causing the sites to continue trying to send data to you).

    Otherwise, this could either be requests from a P2P network node (especially if you ever ran P2P software) or an active portscan attempt trying small blocks to avoid raising your suspicions (especially if the same source IP address - or a small group of them - was always involved).
     
  3. overboard

    overboard Registered Member

    Joined:
    Jul 11, 2003
    Posts:
    12
    Thanks for the ideas. I don't think it's web sites. About half the scan episodes originate from IP addresses near my own dynamically assigned IP address, e.g., remote host 216.55.xx.xx and local host 216.55.yy.yy. Other remote hosts have been scattered across the Western Hemisphere.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, there are certainly some popular ( ;) ) worms out there these last weeks. The ports you are seeing activity on would really help though, as different subnets are seeing different activity levels and some ISPs are blocking some ports to prevent even wider spreading of these worms.

    Activity on TCP ports 2745, 3127 and 6129 is pretty big right now. There's also a lot of activity on TCP ports 135, 139, 445 and 1025, which caused my ISP to block all incoming packets to these detination ports at their border routers.
     
  5. overboard

    overboard Registered Member

    Joined:
    Jul 11, 2003
    Posts:
    12
    Hi. Earlier today these five scans were logged between 10:21:46 and 10:21:55 originating from one IP address. All are TCP ports:

    80, 135, 445, 1025, 2745
    80, 139, 445, 3127, 6129
    135, 445, 1025, 2745, 3127
    80, 139, 2745, 3127, 6129
    135, 445, 1025, 2745, 3127
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Yes, that all looks absolutely normal to me. There's quite a group of worms now echoing across the Internet thanks to those people who keep editing and launching new variants and each one has slightly different scanning patterns.

    This site may make interesting reading in terms of the current hot ports and what malware is causing it:

    http://www.mynetwatchman.com/tp.asp
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Yep, I am getting constant scans within my IP range also on TCP ports: 1025, 2745, 3127, 6129.

    These 3 are on the 'Top Attacked Ports" at http://isc.sans.org/
    2745 - Bagle.C
    3127 - mydoom
    6129 - dameware

    Many are still infected with those beasties. :doubt:

    (Hi LWM) :D
     
  8. overboard

    overboard Registered Member

    Joined:
    Jul 11, 2003
    Posts:
    12
    Thanks for those two links.
    Sasser attacks 445, Beagle attacks 2745, MyDoom attacks 3127, etc. At this point I'm guessing that Sygate PF is mistaken in detecting a single entity at a single IP address scanning all of these at once.
     
  9. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Once upon a time, getting a multi-port scan from a single remote IP was something of a rarity. (Indeed, it was one of the things I used to flag.)

    However, since the MyDoom worm opened its backdoor, there have been a sharp increase in multi-port scans. Indeed, I believe LinkLogger has detected some remote systems that seem to now be infested with multiple little beasties doing multi-port scans!

    In other words, SPF may be quite correct.
     
Loading...
Thread Status:
Not open for further replies.