RE: Outbound Port scans, ports 3800+

From: some guy (someguy_555_at_hotmail.com)
Date: 08/21/03

  • Next message: Schneider Sebastian: "Re: Network scanning: Continued (newbie)"
    To: chris.meidinger@badenit.de, Dean.Saxe@magnetbanking.com, security-basics@securityfocus.com
    Date: Wed, 20 Aug 2003 23:26:40 +0000
    
    

    Hey,
    I have had a situation like this before. For me it was the case that my
    firewall wasn't tracking connections properly (stateful tracking?) , and
    hence it was resending data on various ports trying to get through, but it
    was being blocked. In my case it was DNS requests that were not getting
    through. I guess you should check on the computers that are getting scanned
    whether any internet service is not working and also have a look at the
    actual data contained in the rejected packets.
    Hope that helps.
    -Scott

    >From: Meidinger Chris <chris.meidinger@badenit.de>
    >To: 'Dean Saxe'
    ><Dean.Saxe@magnetbanking.com>,security-basics@securityfocus.com
    >Subject: RE: Outbound Port scans, ports 3800+
    >Date: Wed, 20 Aug 2003 10:17:39 +0100
    >
    >Can you find the process that is doing the scanning, i.e. owns the local
    >ports?
    >
    >badenIT GmbH
    >System Support
    >
    >Chris Meidinger
    >Tullastrasse 70
    >79108 Freiburg
    >
    >
    >-----Original Message-----
    >From: Dean Saxe [mailto:Dean.Saxe@magnetbanking.com]
    >Sent: Tuesday, August 19, 2003 9:08 PM
    >To: security-basics@securityfocus.com
    >Subject: Outbound Port scans, ports 3800+
    >
    >
    >I have a server which has recently started scanning two IP addresses on
    >ports 3800 and higher. I can find no information online regarding any
    >worms
    >or any malware which may be causing these port scans to occur. Is anyone
    >aware of what may be causing this behavior?
    >
    >Thanks in advance for your help.
    >
    >-dhs
    >
    >
    >Dean H. Saxe
    >Senior Software Engineer
    >Web Application Security Team Lead
    >Magnet Communications
    >Dean.Saxe@magnetbanking.com
    >404.592.8515
    >
    >CONFIDENTIALITY NOTICE:
    >This message and any attachment is solely for the use of the individual or
    >entity to which this message is addressed and contains information that is
    >confidential. If the reader of this message is not the intended recipient,
    >you are hereby notified that any review, retransmission, disclosure,
    >copying, distribution or the taking of any action in reliance on the
    >contents of this communication by persons or entities other than the
    >intended recipient is strictly prohibited. If you have received this email
    >in error, please contact the sender and delete the material from any
    >computer.
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >

    _________________________________________________________________
    ninemsn Extra Storage is now available. Get larger attachments -
    send/receive up to 3MB attachments (up to three times more per e-mail).
    Click here http://join.msn.com/

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Schneider Sebastian: "Re: Network scanning: Continued (newbie)"

    Relevant Pages

    • RE: IDS Recommendation
      ... CONFIDENTIALITY NOTICE: This email and any attachments are for the ... exclusive and confidential use of the intended recipient. ... Our security group currently is not doing this...but our CIO ...
      (Security-Basics)
    • RE: Xp Home
      ... >The connection is for my proxy, ... CONFIDENTIALITY NOTICE: This email and any attachments are for the ... exclusive and confidential use of the intended recipient. ...
      (Focus-Microsoft)
    • RE: Read a single line in a file.
      ... So I want only the word grape here. ... Confidentiality Notice ... The information contained in this electronic message and any attachments to this message are intended ... you are not the intended recipient, please notify the sender at Wipro or Mailadmin@xxxxxxxxx immediately ...
      (perl.beginners)
    • Re: SQL
      ... That's a hard list to write, but here are some gleaned from the ports ... I'm sure there are more that are not in the ports tree, ... If you are not the intended recipient, ... circulation or other use of this message and any attachments is ...
      (freebsd-questions)
    • Networking-perl problem
      ... I have to gather data from external devices and process it. ... Confidentiality Notice ... The information contained in this electronic message and any attachments to this message are intended ... you are not the intended recipient, please notify the sender at Wipro or Mailadmin@wipro.com immediately ...
      (perl.beginners)