Re: false portscan alarm

GEO wrote on Wed, 18 Oct 2006 13:47:10 GMT:

On Wed, 18 Oct 2006 08:41:04 +0100, "Spack" <news@xxxxxxxxxxxxxxxx>
wrote:

On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
I receive regulary notification from my personall firewall about port
scanning make by www.microsoft.com. This is the information from my log

2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
1733, 1168, 1165)

207.46.18.30 is wwwbaytest5.microsoft.com

Which is just one of a large cluster of servers running
www.microsoft.com.

Does it mean taha microsoft try to hack me ? :-)
What is the reason of that treffic ?

Looking up those ports at
http://isc.sans.org/port_details.php?port=1730 (example)
would seem to indicate wwwbaytest5.microsoft.com has some malware
hunting for more exploitable systems.

Or those packets are simply responses to connections initiated from the
user end and closed prematurely. For instance, the user opened a browser
to www.microsoft.com, and it took a while for the MS server to respond,
and the browser and/or the "personal firewall" had decided to close those
ports prematurely. Each of those "port scans" could be a response to a
request for various files used by a web page - images, scripts, etc -
which each have a local source port above 1024 opened outgoing to port 80
on the web server, so the response data will come back to those source
ports.

This is just the usual sort of completely harmless and normal activity
that these so called "personal firewalls" like to warn people about when
there is absolutely no reason to. It breeds fear in the computer
illiterate, encouraging them to spend money on more "personal security"
products, which is probably one of the reasons that these "personal
firewalls" spew this rubbish.

I would disagree with your explanation since I have no firewall, and
don't connect to MS, and yesterday I was receiving UDP packets from
the same range of addresses ( 207.46.18.xx). Today I have received UDP
packets from 204.16.208.74.

You have nothing connecting to MS at all? No windows machine with automatic
updates enabled? No MSN messenger? Windows Messenger? Looks like some recent
UDP packets from that IP have been MSN/Windows messenger spam (which is
possible as normal chat messages are sent via the MS Messenger proxy
servers, which this IP could also be a member of), but without more
information (like packet traces for instance) everything is just
speculation.

Dan


.

Relevant Pages

  • VideoConf Nightmare
    ... Firewall Router so you can read the instructions on How ... >instructions (from your reply to "audio on messenger" on ... >But as stated, all appeared to work, however, the UPnP ... More on firewall and port opening can be ...
    (microsoft.public.windowsxp.messenger)
  • Re: Bird Flu - Scotland
    ... what was Britain's fastest growing port. ... Have you got your poultry in yet? ... No reason to do that yet as you would know if you had the smallest clue. ... Jill claims to run a business - and one with considerable ...
    (uk.business.agriculture)
  • Re: Determine if an item in a collection has changed
    ... That is the message I responded to, I did not reply to his first post. ... And there you have the reason why an alternate method was suggested. ... you can get it to work, you add in complication that was not asked for. ... > Messenger, it becomes reasonable in sense of reaching OP's goal - the next ...
    (microsoft.public.vb.general.discussion)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)
  • Re: Application Sharing and Ports
    ... Opening the port yourself will not work as it can't get the ... Microsoft MVP - Windows Messenger/MSN Messenger/Windows Live Messenger ... I would really like to use Window messenger for application sharing and some of the ...
    (microsoft.public.windowsxp.messenger)