You are not logged in.

#1 2005-08-19 03:24:30

sullivanva
Member
From: Herndon, VA USA
Registered: 2005-07-21
Posts: 126

slow portscan?

I seem to be getting hit with a very slow portscanner.

Time:Aug 10 22:20:37 Direction: Unknown In:eth0 Out: Port:32894 Source:168.95.192.1 Destination:192.168.0.101 Length:79
TOS:0x00 Protocol:UDP Service:Sun-RPC portmap
Time:Aug 11 00:14:41 Direction: Unknown In:eth0 Out: Port:32939 Source:168.95.192.1 Destination:192.168.0.101 Length:178 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 11 18:45:50 Direction: Unknown In:eth0 Out: Port:32989 Source:168.95.192.1 Destination:192.168.0.101 Length:148 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 12 10:08:56 Direction: Unknown In:eth0 Out: Port:33160 Source:168.95.192.1 Destination:192.168.0.101 Length:183 TOS:0x00 Protocol:UDP Service:Unknown

And a little while later.

Time:Aug 17 22:34:14 Direction: Unknown In:eth0 Out: Port:33855 Source:168.95.192.1 Destination:192.168.0.101 Length:56
TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 18 19:57:20 Direction: Unknown In:eth0 Out: Port:33909 Source:168.95.192.1 Destination:192.168.0.101 Length:312 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 18 20:43:19 Direction: Unknown In:eth0 Out: Port:33921 Source:168.95.192.1 Destination:192.168.0.101 Length:197 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 18 20:52:32 Direction: Unknown In:eth0 Out: Port:33923 Source:168.95.192.1 Destination:192.168.0.101 Length:248 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 18 22:01:54 Direction: Unknown In:eth0 Out: Port:34047 Source:168.95.192.1 Destination:192.168.0.101 Length:133 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 18 22:32:32 Direction: Unknown In:eth0 Out: Port:34056 Source:168.95.192.1 Destination:192.168.0.101 Length:120 TOS:0x00 Protocol:UDP Service:Unknown

Suggestions?


--HAPS

Offline

#2 2005-08-19 03:58:22

grail
Member
Registered: 2005-02-22
Posts: 70

Re: slow portscan?

Not a lot you can do about slow port scans apart from block the source IP, if it bugs you, but if they really want to scan you they will no doubt do it from another IP. Id suggest logging it to see what they are trying do do if anything as these things often turn out to be misconfigured applications.

Offline

#3 2005-08-19 12:13:43

Kern
Member
From: UK
Registered: 2005-02-09
Posts: 464

Re: slow portscan?

suggestions ?

go to grc.com and find shieldsup page.

scan yourself, and if you aren't fully "stealthed" have a tinker with your firewall/router rules.

any incoming packets that aren't associated with a program you are running, should be dropped.

It's likely that the above scan is set up to scan a large range of IP address blocks looking for ports that can be used to forward traffic like a proxy for masking a spammers  address. Hence it appears to be slow from your point of view..
It's also likely that the scanning address too has also been hijacked.

As Grail suggested, maybe its a misconfigured app, altho i cant think of one that would do such a slow scan across such a range.

regardless of what or why, take it as a wake up call to overhaul how your firewall/router handles things. Can't be too careful.

hth

Offline

#4 2005-08-27 04:35:52

iBertus
Member
From: Greenville, NC
Registered: 2004-11-04
Posts: 2,228

Re: slow portscan?

It's almost impossible to avoid this sort of thing when hooked up to the wire nowaday. If you're confident that your firewall is not allowing connections to any ports then you probably don't have anything to worry about. If this is a production box that makes you money maybe worry more. big_smile

Offline

#5 2005-08-27 14:41:09

sullivanva
Member
From: Herndon, VA USA
Registered: 2005-07-21
Posts: 126

Re: slow portscan?

On and on it goes ...

Time:Aug 24 19:53:56 Direction: Unknown In:eth0 Out: Port:34609 Source:168.95.192.1 Destination:192.168.0.101 Length:220 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 24 22:23:31 Direction: Unknown In:eth0 Out: Port:34662 Source:168.95.192.1 Destination:192.168.0.101 Length:485 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 24 22:55:28 Direction: Unknown In:eth0 Out: Port:34683 Source:168.95.192.1 Destination:192.168.0.101 Length:150 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 25 21:13:54 Direction: Unknown In:eth0 Out: Port:34736 Source:168.95.192.1 Destination:192.168.0.101 Length:296 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 25 21:44:33 Direction: Unknown In:eth0 Out: Port:34774 Source:168.95.192.1 Destination:192.168.0.101 Length:277 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 25 22:16:01 Direction: Unknown In:eth0 Out: Port:34791 Source:168.95.192.1 Destination:192.168.0.101 Length:298 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 26 22:34:39 Direction: Unknown In:eth0 Out: Port:34891 Source:168.95.192.1 Destination:192.168.0.101 Length:172 TOS:0x00 Protocol:UDP Service:Unknown
Time:Aug 26 23:37:36 Direction: Unknown In:eth0 Out: Port:34903 Source:168.95.192.1 Destination:192.168.0.101 Length:144 TOS:0x00 Protocol:UDP Service:Unknown


--HAPS

Offline

#6 2005-08-28 23:38:23

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: slow portscan?

Out of curiosity, in what log file the above  portscanning info would be. I tried grepping my /var/log but couldn't find anything.

Offline

#7 2005-08-29 04:09:20

sullivanva
Member
From: Herndon, VA USA
Registered: 2005-07-21
Posts: 126

Re: slow portscan?

jackmetal posted a question about Firestarter a while ago, and there is some issue with it finding the proper log files.

murkus and idaho45 gave me the following command:

gconftool-2 --set --type string /apps/firestarter/client/system_log /var/log/iptables.log

which is a long answer to a short question


--HAPS

Offline

#8 2005-08-29 04:23:21

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: slow portscan?

Thanks for the answer.  I don't use iptables as I don't run any server.  That's why grepping didn't work. wink

Offline

Board footer

Powered by FluxBB