Repeated Port Scan

• Previous message: David Wallraff: "Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
• Next in thread: John Choe: "RE: Repeated Port Scan"
• Maybe reply: John Choe: "RE: Repeated Port Scan"
• Maybe reply: Rich Franklin: "Re: Repeated Port Scan"
• Maybe reply: compguruman_at_mail.comcast.net: "RE: Repeated Port Scan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Jun 2003 17:30:47 -0400
To: security-basics@securityfocus.com

I've been getting port scans from the same IP address for 3 days. It is
not scanning continuously but will usually scan me every 2 hours for a few
hours. When I do a whois on the address it doesn't give much information
on who to contact about abuse. I'm thinking that the computer scanning me
has been compromised and is looking for other computers to infect. The
source port is random but the local port is not. It scans to see if ports
1075, 3128, 4588, 6588, and 8080 are open. I ran retina against the
machine and its running a default install of Apache without much anything
configured. The Sequence # of the packets are always 666666 and all have
the SYN flag set. Does anybody know of any worms or Trojans that scan for
these ports and have these features? Also, if whois doesn't give much
information how can I find out who to contact about this? I've attached
some of the packets that I've captured, along with the whois
information. Any help is appreciated.

TIA

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• text/plain attachment: Capture.txt

• Previous message: David Wallraff: "Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
• Next in thread: John Choe: "RE: Repeated Port Scan"
• Maybe reply: John Choe: "RE: Repeated Port Scan"
• Maybe reply: Rich Franklin: "Re: Repeated Port Scan"
• Maybe reply: compguruman_at_mail.comcast.net: "RE: Repeated Port Scan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Irritating DSL annoyance ... Your fw needs to _allow_ traffic in headed for its IP and port#. ... "Which whois _server_ are you ... you will get packets "directed" to your IP/ports. ... Even if it's just some "kids" playing around, ... (comp.os.linux.misc) RE: network segment range which NIDS can detect? ... the default action if it can't be sure of a specific port to ... True broadcast packets ... I installed snort NIDS at my linux which connected at switch and I ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... (Security-Basics) reporting port scaning abuse based on whois ... My ipfilter firewall is blocking 35 to 150 port scan packets per ... report this abuse to the ISP's who own the source IP address that is ... then I read the sorted file and do an whois ... (freebsd-questions) Abuse reporting based on whois ... an process to report this abuse to the ISP's who own the source IP ... then I read the sorted file and do an whois ... for about 30% of the abusive port scan traffic being blocked. ... nothing to report all the port targeted packet traffic. ... (freebsd-isp) Re: ISA Server detected an all port scan attack ... My comments are inline. ... Someone's doing a port scan on your machine...there's nothing you can do to ... > I can do a whois, but that doesnt even tell me much on who they are. ... (microsoft.public.windows.server.sbs)