Re: TCP Scan by Google machine?

From: Michael Fuhr (mfuhr_at_fuhr.org)
Date: 01/07/05


Date: 7 Jan 2005 13:26:39 -0700


"Documatrix" <florrie@casualsailor.com> writes:

> I've been playing around with OnlineEye Pro today and its Network
> Traffic Monitor has been logging attempts by a Google machine (verified
> by WhoIs) to access TCP ports on my home Windows XP laptop. (It's up to
> the 4100's now.)

What are the source ports on Google's side? If the connections
have a source port of 80 then the "attempts" might simply be packets
that belong to old HTTP connections you made to Google. Does the
monitor log TCP flags like SYN, ACK, FIN, RST, etc.? If so, what
are they?

Another possibility is that somebody's running a port scan by
exploiting a Google service that proxies connections. Hopefully
Google has taken steps to prevent such abuse, but somebody might
have found a way. Their translation service, for example, appears
to allow only certain ports in the URLs it accepts.

> Why would a Google machine do this? I'm running Google Desktop Search
> and the Google Toolbar, but this hardly seems provocative.

I don't know how these work so I don't know if they could be
responsible. If the "attempts" your monitor logs are just packets
that are part of an old connection, then I suppose these services
could have initiated those connections.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/


Relevant Pages

  • Re: Vista Hacked
    ... attempting to connect multiple times a day to numerous ... google.com ip addresses across a wide viriety of ports in the 45000's. ... If you have Google toolbar or update manager installed then random connections to google will happen, otherwise I am not sure what the connection would be between google and some alleged hacker. ...
    (microsoft.public.windows.vista.performance_maintenance)
  • Re: XP security issue...
    ... using X-nestat to monitor all realtime TCP connections... ... from ports 4150, 4151,4152 etc to another destination IP address ...
    (Security-Basics)
  • Re: Allow new incoming connection?
    ... establishing NEW connections from google on high ... To or from google? ... I mean distinguishing high ports from low ports for this purpose seems ... I just don't know if it matters when the incoming ...
    (comp.os.linux.security)
  • Re: Allow new incoming connection?
    ... "high" ports. ... connections where both source and destination ports are high, ... To or from google? ... I think allowing incoming connections requires justification, ...
    (comp.os.linux.security)
  • re: In my personal opinion zonealarm is not so good
    ... >I can't monitor the processes using zonelalarm, ... >and which ports they are in the state. ... >the connections that is active.It also displays the ...
    (microsoft.public.security)