Re: Unusual port scan?

From: Ed Budd (ebudd_at_grokking.org)
Date: 12/29/03

  • Next message: Christopher Harrington: "Large increase in port 32772 activity" 
    Date: Mon, 29 Dec 2003 08:02:42 -0500
To: incidents@securityfocus.com

    This output doesn't indicate what tcp flags are set which I think is
    pretty much critical to understanding what's going on. I'd first
    determine whether these are syn packets trying to initiate a connection
    or whether they're acks in response to something inside your perimeter.

    Check your outgoing logs for http traffic from one of your hosts with
    dynamic ports 1800,1802. If you have any windows boxes with automatic
    updating turned on this might be just the return traffic from them (I
    believe WU service uses http and https ports for this purpose). If it is
    that service, you don't need any browser windows open; it happens in the
    background. Use snort/ethereal/tcpdump and capture some packets to be
    sure...

    Hope this helps,

    EB

    On 28 Dec 2003 22:59:12 -0000
    "J Bailes" <jonas2@knology.net> wrote:

    >
    >
    > My router logs on my personal/home machine just started receiving with
    > these scans:
    >
    > 12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    > 12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802
    > 12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800
    >
    >
    > The scans supposedly came from:
    >
    > [Query: 81.52.250.105, Server: whois.ripe.net]
    > % This is the RIPE Whois server.
    > % The objects are in RPSL format.
    > %
    > % Rights restricted by copyright.
    > % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
    > inetnum: 81.52.248.0 - 81.52.250.127
    > netname: AKAMAI-FT-US
    > descr: Akamai Technologies - US machines connected to FT AS5511
    > country: US
    > admin-c: NARA1-RIPE
    > tech-c: NARA1-RIPE
    > tech-c: NF1714-RIPE
    > status: ASSIGNED PA
    > mnt-by: FT-BRX
    > changed: gestionip.ft@francetelecom.com 20030321
    > source: RIPE
    > route: 81.52.240.0/20
    > descr: France Telecom
    > descr: Opentransit
    > origin: AS5511
    > mnt-by: FT-BRX
    > changed: gestionip.ft@francetelecom.com 20030214
    > source: RIPE
    > role: Network Architecture Role Account
    > address: Akamai Technologies
    > address: 500 Technology Square
    > address: Cambridge, MA 02139
    > phone: +1-617-250-4768
    > e-mail: ip-admin@akamai.com
    > admin-c: NF1714-RIPE
    > admin-c: JP1944-RIPE
    > tech-c: NF1714-RIPE
    > tech-c: JP1944-RIPE
    > nic-hdl: NARA1-RIPE
    > notify: ip-admin@akamai.com
    > changed: ip-admin@akamai.com 20021025
    > source: RIPE
    > person: Noam Freedman
    > address: Akamai Technologies
    > address: 500 Technology Sq
    > address: Cambridge, MA 02139
    > phone: +1 617 250 4768
    > e-mail: noam@akamai.com
    > nic-hdl: NF1714-RIPE
    > notify: noam@akamai.com
    > changed: noam@akamai.com 20021025
    > source: RIPE
    > [End of Data]
    >
    >
    > The scan seems to be looking for:
    > ansys-lm - ANSYS-License manager for port 1800
    > concomp1 - ConComp1 for port 1802
    >
    > According to this: http://aaron.boim.com/unix/sshTunnel.html , it may
    > be scan for an open proxy used for SSH? I dunno.
    >
    > I'm not familiar with these services (nor am I running them). I did
    > not have any browser windows open at the time of the scan. So, out of
    > nowhere, why would an Akamai box scan me for these services? Is
    > anybody else getting this kind of traffic?
    >
    >
    > ---------------------------------------------------------------------
    > ---------------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Christopher Harrington: "Large increase in port 32772 activity"

    Relevant Pages

    • Unusual port scan?
      ... % This is the RIPE Whois server. ... Akamai Technologies - US machines connected to FT AS5511 ... admin-c: NARA1-RIPE ... tech-c: NF1714-RIPE ...
      (Incidents)
    • Re: Unusual port scan?
      ... > % This is the RIPE Whois server. ... > address: Akamai Technologies ... > address: Cambridge, MA 02139 ...
      (Incidents)