Re: TCP Scan by Google machine?

From: Michael Fuhr (mfuhr_at_fuhr.org)
Date: 01/07/05

• Next message: dak: "Re: trojan horse attack"
• Previous message: Jason Edwards: "Re: trojan horse attack"
• In reply to: Documatrix: "TCP Scan by Google machine?"
• Next in thread: Documatrix: "Re: TCP Scan by Google machine?"
• Reply: Documatrix: "Re: TCP Scan by Google machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 7 Jan 2005 13:26:39 -0700

"Documatrix" <florrie@casualsailor.com> writes:

> I've been playing around with OnlineEye Pro today and its Network
> Traffic Monitor has been logging attempts by a Google machine (verified
> by WhoIs) to access TCP ports on my home Windows XP laptop. (It's up to
> the 4100's now.)

What are the source ports on Google's side? If the connections
have a source port of 80 then the "attempts" might simply be packets
that belong to old HTTP connections you made to Google. Does the
monitor log TCP flags like SYN, ACK, FIN, RST, etc.? If so, what
are they?

Another possibility is that somebody's running a port scan by
exploiting a Google service that proxies connections. Hopefully
Google has taken steps to prevent such abuse, but somebody might
have found a way. Their translation service, for example, appears
to allow only certain ports in the URLs it accepts.

> Why would a Google machine do this? I'm running Google Desktop Search
> and the Google Toolbar, but this hardly seems provocative.

I don't know how these work so I don't know if they could be
responsible. If the "attempts" your monitor logs are just packets
that are part of an old connection, then I suppose these services
could have initiated those connections.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/

---

• Next message: dak: "Re: trojan horse attack"
• Previous message: Jason Edwards: "Re: trojan horse attack"
• In reply to: Documatrix: "TCP Scan by Google machine?"
• Next in thread: Documatrix: "Re: TCP Scan by Google machine?"
• Reply: Documatrix: "Re: TCP Scan by Google machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Vista Hacked ... attempting to connect multiple times a day to numerous ... google.com ip addresses across a wide viriety of ports in the 45000's. ... If you have Google toolbar or update manager installed then random connections to google will happen, otherwise I am not sure what the connection would be between google and some alleged hacker. ... (microsoft.public.windows.vista.performance_maintenance) Re: XP security issue... ... using X-nestat to monitor all realtime TCP connections... ... from ports 4150, 4151,4152 etc to another destination IP address ... (Security-Basics) re: In my personal opinion zonealarm is not so good ... >I can't monitor the processes using zonelalarm, ... >and which ports they are in the state. ... >the connections that is active.It also displays the ... (microsoft.public.security) Re: USB 2.0 Mouse ???? ... For one thing, I don't actually HAVE an 8-channel 96 kHz USB interface at the moment. ... different ports. ... port_ and recognized it on subsequent connections. ... I'm not sure I'm correctly interpreting what I've been reading since my first post, but it seems that modern USB controllers, identified in the Device Manager as "Enhanced USB Controller," actually have two devices to interface with the connector. ... (rec.audio.pro) troubles defining firewall policies ... restricting high ports. ... I use RH 7.3 and my eth0 interfase is part of the class C network ... use the linux machine as their gateways so all the network traffic is ... Grant incoming connections for every IP of my network ... (RedHat)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2005-01