RE: Unusual port scan?

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 12/29/03

  • Next message: Patrick Kremer: "Re: Unusual port scan?"
    To: "'J Bailes'" <jonas2@knology.net>, <incidents@securityfocus.com>
    Date: Sun, 28 Dec 2003 23:01:12 -0500
    
    

    There is a web server responding to port 80 on the 'attacking machine'.
    Are you sure this isn't a response to something from your machine? You
    said you didn't have a browser open but how about an e-mail client that
    processes HTML pages? Or perhaps some application that pulls in updates
    over port 80.

    Does your router give you any additional information like flags? If it
    does, you might find that the flags indicate that it's a response to a
    SYN from your machine. You might also put a sniffer on the network just
    to see if this is part of a legitimate connection attempt.

    -----Original Message-----
    From: J Bailes [mailto:jonas2@knology.net]
    Sent: Sunday, December 28, 2003 5:59 PM
    To: incidents@securityfocus.com
    Subject: Unusual port scan?

    My router logs on my personal/home machine just started receiving with
    these scans:

     

    12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

    12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

    The scans supposedly came from:

    [Query: 81.52.250.105, Server: whois.ripe.net]

    % This is the RIPE Whois server.

    % The objects are in RPSL format.

    %

    % Rights restricted by copyright.

    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html

    inetnum: 81.52.248.0 - 81.52.250.127

    netname: AKAMAI-FT-US

    descr: Akamai Technologies - US machines connected to FT AS5511

    country: US

    admin-c: NARA1-RIPE

    tech-c: NARA1-RIPE

    tech-c: NF1714-RIPE

    status: ASSIGNED PA

    mnt-by: FT-BRX

    changed: gestionip.ft@francetelecom.com 20030321

    source: RIPE

    route: 81.52.240.0/20

    descr: France Telecom

    descr: Opentransit

    origin: AS5511

    mnt-by: FT-BRX

    changed: gestionip.ft@francetelecom.com 20030214

    source: RIPE

    role: Network Architecture Role Account

    address: Akamai Technologies

    address: 500 Technology Square

    address: Cambridge, MA 02139

    phone: +1-617-250-4768

    e-mail: ip-admin@akamai.com

    admin-c: NF1714-RIPE

    admin-c: JP1944-RIPE

    tech-c: NF1714-RIPE

    tech-c: JP1944-RIPE

    nic-hdl: NARA1-RIPE

    notify: ip-admin@akamai.com

    changed: ip-admin@akamai.com 20021025

    source: RIPE

    person: Noam Freedman

    address: Akamai Technologies

    address: 500 Technology Sq

    address: Cambridge, MA 02139

    phone: +1 617 250 4768

    e-mail: noam@akamai.com

    nic-hdl: NF1714-RIPE

    notify: noam@akamai.com

    changed: noam@akamai.com 20021025

    source: RIPE

    [End of Data]

    The scan seems to be looking for:

    ansys-lm - ANSYS-License manager for port 1800

    concomp1 - ConComp1 for port 1802

    According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be
    scan for an open proxy used for SSH? I dunno.

    I'm not familiar with these services (nor am I running them). I did not
    have any browser windows open at the time of the scan. So, out of
    nowhere, why would an Akamai box scan me for these services? Is anybody
    else getting this kind of traffic?

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Patrick Kremer: "Re: Unusual port scan?"