RE: Unusual port scan?

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 12/29/03

  • Next message: Patrick Kremer: "Re: Unusual port scan?"
    To: "'J Bailes'" <jonas2@knology.net>, <incidents@securityfocus.com>
    Date: Sun, 28 Dec 2003 23:01:12 -0500
    
    

    There is a web server responding to port 80 on the 'attacking machine'.
    Are you sure this isn't a response to something from your machine? You
    said you didn't have a browser open but how about an e-mail client that
    processes HTML pages? Or perhaps some application that pulls in updates
    over port 80.

    Does your router give you any additional information like flags? If it
    does, you might find that the flags indicate that it's a response to a
    SYN from your machine. You might also put a sniffer on the network just
    to see if this is part of a legitimate connection attempt.

    -----Original Message-----
    From: J Bailes [mailto:jonas2@knology.net]
    Sent: Sunday, December 28, 2003 5:59 PM
    To: incidents@securityfocus.com
    Subject: Unusual port scan?

    My router logs on my personal/home machine just started receiving with
    these scans:

     

    12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    The scans supposedly came from:

    [Query: 81.52.250.105, Server: whois.ripe.net]

    % This is the RIPE Whois server.

    % The objects are in RPSL format.

    %

    % Rights restricted by copyright.

    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html

    inetnum: 81.52.248.0 - 81.52.250.127

    netname: AKAMAI-FT-US

    descr: Akamai Technologies - US machines connected to FT AS5511

    country: US

    admin-c: NARA1-RIPE

    tech-c: NARA1-RIPE

    tech-c: NF1714-RIPE

    status: ASSIGNED PA

    mnt-by: FT-BRX

    changed: gestionip.ft@francetelecom.com 20030321

    source: RIPE

    route: 81.52.240.0/20

    descr: France Telecom

    descr: Opentransit

    origin: AS5511

    mnt-by: FT-BRX

    changed: gestionip.ft@francetelecom.com 20030214

    source: RIPE

    role: Network Architecture Role Account

    address: Akamai Technologies

    address: 500 Technology Square

    address: Cambridge, MA 02139

    phone: +1-617-250-4768

    e-mail: ip-admin@akamai.com

    admin-c: NF1714-RIPE

    admin-c: JP1944-RIPE

    tech-c: NF1714-RIPE

    tech-c: JP1944-RIPE

    nic-hdl: NARA1-RIPE

    notify: ip-admin@akamai.com

    changed: ip-admin@akamai.com 20021025

    source: RIPE

    person: Noam Freedman

    address: Akamai Technologies

    address: 500 Technology Sq

    address: Cambridge, MA 02139

    phone: +1 617 250 4768

    e-mail: noam@akamai.com

    nic-hdl: NF1714-RIPE

    notify: noam@akamai.com

    changed: noam@akamai.com 20021025

    source: RIPE

    [End of Data]

    The scan seems to be looking for:

    ansys-lm - ANSYS-License manager for port 1800

    concomp1 - ConComp1 for port 1802

    According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be
    scan for an open proxy used for SSH? I dunno.

    I'm not familiar with these services (nor am I running them). I did not
    have any browser windows open at the time of the scan. So, out of
    nowhere, why would an Akamai box scan me for these services? Is anybody
    else getting this kind of traffic?

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Patrick Kremer: "Re: Unusual port scan?"

    Relevant Pages

    • Re: Best Plan of action for 2 forest.......
      ... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ...
      (microsoft.public.windows.server.active_directory)
    • RE: MBSA and MSs attempts at "security"
      ... >the port status of TCP and UDP ports on a computer you choose. ... you can also query an LDAP service. ... LDAP query and interpret an LDAP server's response to ...
      (Focus-Microsoft)
    • RE: Using a dynamic request - response port
      ... Saravana Kumar ... I don't have any direct experience working with WSS adapter, ... You need to make sure, you are getting some response back from Sharepoint ... May be its worth investigating using a static solict-response send port ...
      (microsoft.public.biztalk.general)
    • Re: Cant connect to Mailserver
      ... chance yet to dig into the server and find out why. ... When I telnet to port 25 I should get a response from your exchange ... Are the correct ports open in the router? ...
      (microsoft.public.windows.server.sbs)
    • Re: how to set timeout for read command
      ... >> The shell will attempt to connect to that TCP port, get an error response, ... The desired behavior of the program is to ... in response to the refusal to open the connection. ... The remote machine has something listening on the port, ...
      (comp.unix.shell)