Unusual port scan?

From: J Bailes (jonas2_at_knology.net)
Date: 12/28/03

Next message: Hamish webhosting.net.nz: "RE: Unusual port scan?"

Previous message: Brian Collins: "flood of SYN packets to port 110"
Next in thread: Hamish webhosting.net.nz: "RE: Unusual port scan?"
Maybe reply: Hamish webhosting.net.nz: "RE: Unusual port scan?"
Reply: Eric Whitehill: "Re: Unusual port scan?"
Reply: Bojan Zdrnja: "RE: Unusual port scan?"
Reply: Jerry Shenk: "RE: Unusual port scan?"
Reply: Patrick Kremer: "Re: Unusual port scan?"
Reply: Ed Budd: "Re: Unusual port scan?"
Maybe reply: J Bailes: "RE: Unusual port scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Dec 2003 22:59:12 -0000
To: incidents@securityfocus.com

('binary' encoding is not supported, stored as-is)

My router logs on my personal/home machine just started receiving with these scans:

12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

The scans supposedly came from:

[Query: 81.52.250.105, Server: whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 81.52.248.0 - 81.52.250.127
netname: AKAMAI-FT-US
descr: Akamai Technologies - US machines connected to FT AS5511
country: US
admin-c: NARA1-RIPE
tech-c: NARA1-RIPE
tech-c: NF1714-RIPE
status: ASSIGNED PA
mnt-by: FT-BRX
changed: gestionip.ft@francetelecom.com 20030321
source: RIPE
route: 81.52.240.0/20
descr: France Telecom
descr: Opentransit
origin: AS5511
mnt-by: FT-BRX
changed: gestionip.ft@francetelecom.com 20030214
source: RIPE
role: Network Architecture Role Account
address: Akamai Technologies
address: 500 Technology Square
address: Cambridge, MA 02139
phone: +1-617-250-4768
e-mail: ip-admin@akamai.com
admin-c: NF1714-RIPE
admin-c: JP1944-RIPE
tech-c: NF1714-RIPE
tech-c: JP1944-RIPE
nic-hdl: NARA1-RIPE
notify: ip-admin@akamai.com
changed: ip-admin@akamai.com 20021025
source: RIPE
person: Noam Freedman
address: Akamai Technologies
address: 500 Technology Sq
address: Cambridge, MA 02139
phone: +1 617 250 4768
e-mail: noam@akamai.com
nic-hdl: NF1714-RIPE
notify: noam@akamai.com
changed: noam@akamai.com 20021025
source: RIPE
[End of Data]

The scan seems to be looking for:
ansys-lm - ANSYS-License manager for port 1800
concomp1 - ConComp1 for port 1802

According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be scan for an open proxy used for SSH? I dunno.

I'm not familiar with these services (nor am I running them). I did not have any browser windows open at the time of the scan. So, out of nowhere, why would an Akamai box scan me for these services? Is anybody else getting this kind of traffic?

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Hamish webhosting.net.nz: "RE: Unusual port scan?"

Previous message: Brian Collins: "flood of SYN packets to port 110"
Next in thread: Hamish webhosting.net.nz: "RE: Unusual port scan?"
Maybe reply: Hamish webhosting.net.nz: "RE: Unusual port scan?"
Reply: Eric Whitehill: "Re: Unusual port scan?"
Reply: Bojan Zdrnja: "RE: Unusual port scan?"
Reply: Jerry Shenk: "RE: Unusual port scan?"
Reply: Patrick Kremer: "Re: Unusual port scan?"
Reply: Ed Budd: "Re: Unusual port scan?"
Maybe reply: J Bailes: "RE: Unusual port scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Unusual port scan?
... believe WU service uses http and https ports for this purpose). ... > % This is the RIPE Whois server. ... > address: Akamai Technologies ... > address: Cambridge, MA 02139 ...
(Incidents)
Re: Unusual port scan?
... > % This is the RIPE Whois server. ... > address: Akamai Technologies ... > address: Cambridge, MA 02139 ...
(Incidents)
Re: hacked?
... tech-c: RAD3-RIPE ... mnt-by: AS8708-MNT ... source: RIPE ...
(comp.os.linux.security)
Re: ping P.O.O.
... % The RIPE Database is subject to Terms and Conditions. ... mnt-by: AS5462-MNT ... Telewest Broadband IP Network Services ... tech-c: SA3620-RIPE ...
(talk.origins)
Re: This guy is trying to steal my mates wife. 5368
... % This is the RIPE Whois server. ... tech-c: PNET2-RIPE ... mnt-by: RIPE-NCC-HM-MNT ...
(comp.security.firewalls)