Security Incidents mailing list archives
Re: port scans from local workstation
From: Fernando Cardoso <fernando () BN PT>
Date: Thu, 14 Sep 2000 14:27:23 +0100
Hello all, recently I have notice scanlogd entries in my logs regarding port scans from one of my local NT workstations. The scans seem very very random in the sense that it happens during random times of the day and scans random ports. Any Ideas??? I have checked the NT machine for Trojans and virus and have come up clean. There is nothing running that should be doing this and it just started about a month ago. I have also see scans from other local address just like this. What do the flags mean? Sep 12 10:03:25 ns1 scanlogd: From 206.230.66.33 to 206.230.66.1 ports 6128, 11141, 58831, 27971, 52226, 5659, 14038, 43201, 1448, ..., flags ??rp?u, TOS
[...] Hi I'm not familiar with scanlogd format but the flags surely mean TCP flags. In this case RST, PSH and URG are set. This seems to be some sort of Xmas scan like the one nmap implements, although, in that case, FIN, URG and PSH should be the flags in use. Did you check running processes with a tool like inzider (the lsof of NT world...)? Grab it in http://ntsecurity.nu/toolbox/inzider/ Fernando _________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
Current thread:
- port scans from local workstation Infrastructure Dept. (Sep 13)
- <Possible follow-ups>
- port scans from local workstation Infrastructure Dept. (Sep 14)
- Re: port scans from local workstation Fernando Cardoso (Sep 14)
- Re: port scans from local workstation Bill Royds (Sep 14)