Re: false portscan alarm

On Wed, 18 Oct 2006 08:41:04 +0100, "Spack" <news@xxxxxxxxxxxxxxxx>
wrote:

On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
I receive regulary notification from my personall firewall about port
scanning make by www.microsoft.com. This is the information from my log

2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
1733, 1168, 1165)

207.46.18.30 is wwwbaytest5.microsoft.com

Which is just one of a large cluster of servers running www.microsoft.com.

Does it mean taha microsoft try to hack me ? :-)
What is the reason of that treffic ?

Looking up those ports at
http://isc.sans.org/port_details.php?port=1730 (example)
would seem to indicate wwwbaytest5.microsoft.com has some malware
hunting for more exploitable systems.

Or those packets are simply responses to connections initiated from the user
end and closed prematurely. For instance, the user opened a browser to
www.microsoft.com, and it took a while for the MS server to respond, and the
browser and/or the "personal firewall" had decided to close those ports
prematurely. Each of those "port scans" could be a response to a request for
various files used by a web page - images, scripts, etc - which each have a
local source port above 1024 opened outgoing to port 80 on the web server,
so the response data will come back to those source ports.

This is just the usual sort of completely harmless and normal activity that
these so called "personal firewalls" like to warn people about when there is
absolutely no reason to. It breeds fear in the computer illiterate,
encouraging them to spend money on more "personal security" products, which
is probably one of the reasons that these "personal firewalls" spew this
rubbish.

I would disagree with your explanation since I have no firewall, and
don't connect to MS, and yesterday I was receiving UDP packets from
the same range of addresses ( 207.46.18.xx). Today I have received UDP
packets from 204.16.208.74.

Either the explanation that ' wwwbaytest5.microsoft.com has some
malware hunting for more exploitable systems' is correct, or they have
managed to spoof the IP address.

Geo


.

Relevant Pages

  • Re: Bird Flu - Scotland
    ... what was Britain's fastest growing port. ... Have you got your poultry in yet? ... No reason to do that yet as you would know if you had the smallest clue. ... Jill claims to run a business - and one with considerable ...
    (uk.business.agriculture)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... which each have a local source port above 1024 opened outgoing to port 80 ... Windows Messenger? ... UDP packets from that IP have been MSN/Windows messenger spam (which is ...
    (comp.security.firewalls)
  • Re: Craigslist Bouncing Me - Non-generic DNS
    ... You do not need to use TCP source port 25, but you do need TCP destination port 25. ... It is systems that have become infected with a worm / virus of some sort that has its own SMTP engine in it that is sending the majority of the spam. ... The only reason I mentioned the mail servers is so that they people running them, be it hobbyist or businesses, could state that they will take responsibility for their systems and to request bypassing of the default outgoing destination port 25 block. ...
    (comp.mail.sendmail)
  • Re: "Dont panic"?
    ... have some other legitimate reason for scanning your network. ... While port scanning is a waste ... > cyberworld is fraught with danger. ... a port scan reports back to an ISP a lot of people time and network bandwidth ...
    (comp.security.ssh)