RE: Outbound Port scans, ports 3800+
From: some guy (someguy_555_at_hotmail.com)
Date: 08/21/03
- Previous message: Hui, Roy: "RE: Windows Security Templates"
- Maybe in reply to: Dean Saxe: "Outbound Port scans, ports 3800+"
- Next in thread: -SIMON-: "ANVIL FCS (A new IDS + Forensic Collection System)"
- Reply: -SIMON-: "ANVIL FCS (A new IDS + Forensic Collection System)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: chris.meidinger@badenit.de, Dean.Saxe@magnetbanking.com, security-basics@securityfocus.com Date: Wed, 20 Aug 2003 23:26:40 +0000
Hey,
I have had a situation like this before. For me it was the case that my
firewall wasn't tracking connections properly (stateful tracking?) , and
hence it was resending data on various ports trying to get through, but it
was being blocked. In my case it was DNS requests that were not getting
through. I guess you should check on the computers that are getting scanned
whether any internet service is not working and also have a look at the
actual data contained in the rejected packets.
Hope that helps.
-Scott
>From: Meidinger Chris <chris.meidinger@badenit.de>
>To: 'Dean Saxe'
><Dean.Saxe@magnetbanking.com>,security-basics@securityfocus.com
>Subject: RE: Outbound Port scans, ports 3800+
>Date: Wed, 20 Aug 2003 10:17:39 +0100
>
>Can you find the process that is doing the scanning, i.e. owns the local
>ports?
>
>badenIT GmbH
>System Support
>
>Chris Meidinger
>Tullastrasse 70
>79108 Freiburg
>
>
>-----Original Message-----
>From: Dean Saxe [mailto:Dean.Saxe@magnetbanking.com]
>Sent: Tuesday, August 19, 2003 9:08 PM
>To: security-basics@securityfocus.com
>Subject: Outbound Port scans, ports 3800+
>
>
>I have a server which has recently started scanning two IP addresses on
>ports 3800 and higher. I can find no information online regarding any
>worms
>or any malware which may be causing these port scans to occur. Is anyone
>aware of what may be causing this behavior?
>
>Thanks in advance for your help.
>
>-dhs
>
>
>Dean H. Saxe
>Senior Software Engineer
>Web Application Security Team Lead
>Magnet Communications
>Dean.Saxe@magnetbanking.com
>404.592.8515
>
>CONFIDENTIALITY NOTICE:
>This message and any attachment is solely for the use of the individual or
>entity to which this message is addressed and contains information that is
>confidential. If the reader of this message is not the intended recipient,
>you are hereby notified that any review, retransmission, disclosure,
>copying, distribution or the taking of any action in reliance on the
>contents of this communication by persons or entities other than the
>intended recipient is strictly prohibited. If you have received this email
>in error, please contact the sender and delete the material from any
>computer.
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
_________________________________________________________________
ninemsn Extra Storage is now available. Get larger attachments -
send/receive up to 3MB attachments (up to three times more per e-mail).
Click here http://join.msn.com/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Hui, Roy: "RE: Windows Security Templates"
- Maybe in reply to: Dean Saxe: "Outbound Port scans, ports 3800+"
- Next in thread: -SIMON-: "ANVIL FCS (A new IDS + Forensic Collection System)"
- Reply: -SIMON-: "ANVIL FCS (A new IDS + Forensic Collection System)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
