Re: false portscan alarm

Bit wrote on Tue, 17 Oct 2006 09:58:38 -0500:

On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
I receive regulary notification from my personall firewall about port
scanning make by www.microsoft.com. This is the information from my log

no, microsoft.com is 207.46.130.108/207.46.250.119

2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
1733, 1168, 1165)
2006-09-12 09:20 port scan from 207.46.18.30 TCP (2054, 2060, 2056,
2052, 2058, 2050)

207.46.18.30 is wwwbaytest5.microsoft.com

Which is just one of a large cluster of servers running www.microsoft.com.

Does it mean taha microsoft try to hack me ? :-)
What is the reason of that treffic ?

Looking up those ports at
http://isc.sans.org/port_details.php?port=1730 (example)

would seem to indicate wwwbaytest5.microsoft.com has some malware
hunting for more exploitable systems.

Or those packets are simply responses to connections initiated from the user
end and closed prematurely. For instance, the user opened a browser to
www.microsoft.com, and it took a while for the MS server to respond, and the
browser and/or the "personal firewall" had decided to close those ports
prematurely. Each of those "port scans" could be a response to a request for
various files used by a web page - images, scripts, etc - which each have a
local source port above 1024 opened outgoing to port 80 on the web server,
so the response data will come back to those source ports.

This is just the usual sort of completely harmless and normal activity that
these so called "personal firewalls" like to warn people about when there is
absolutely no reason to. It breeds fear in the computer illiterate,
encouraging them to spend money on more "personal security" products, which
is probably one of the reasons that these "personal firewalls" spew this
rubbish.

Dan


.

Relevant Pages

  • Re: The Coalition against Personal Firewalls
    ... Is there a better way to close the ports? ... problems the "Personal Firewalls" bring with them. ... Why aren't you configuring the non-malware application then not to do ... To the Internet? ...
    (comp.security.firewalls)
  • Re: false portscan alarm
    ... For instance, the user opened a browser to www.microsoft.com, and it took a while for the MS server to respond, and the browser and/or the "personal firewall" had decided to close those ports prematurely. ... Each of those "port scans" could be a response to a request for various files used by a web page - images, scripts, etc - which each have a local source port above 1024 opened outgoing to port 80 on the web server, so the response data will come back to those source ports. ... This is just the usual sort of completely harmless and normal activity that these so called "personal firewalls" like to warn people about when there is absolutely no reason to. ...
    (comp.security.firewalls)
  • Re: number of users accessing a wireless network
    ... Both the SYN and the TCP connect scans will receive RSTs ... Of course it will; those ports are open! ... hidden with personal firewalls. ... drop incoming packets to closed ports, ...
    (Debian-User)
  • Re: Personal Firewalls
    ... > Are there any personal firewalls out there that will allow communication ... > the ports only. ... Personal Firewall (3.75 stars) ... Etherfast Router (Linksys 4 port broadband router, hardware firewall ...
    (comp.security.firewalls)
  • Re: Personal Firewalls
    ... > Are there any personal firewalls out there that will allow communication ... > specific ports, no matter the program? ... > the ports only. ...
    (comp.security.firewalls)