Security Incidents mailing list archives
Re: port scans from local workstation
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Thu, 14 Sep 2000 15:40:27 -0400
That would be the source trying to start a ftp-data session. \ FTP data sesssions are initiated by the server using source port 20 (or others) with the clinet listening on a high number port. Your IDS is not smart enough to know the FTP protocol and is catching these conversations. To avoid this, upgrade the IDS or ask the clients to use Passive FTP (turn the data around so client intiiates and server listens). "Infrastructure Dept." <infrastructure () narellan net> on 09/14/2000 09:17:40 AM Please respond to infrastructure () narellan net To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: port scans from local workstation Follow up to my original post. I see these scans happening right after accountable FTP sessions. The scan appears to start about one minute after the FTP session is opened. This is happening from all my workstations and off site workstations using a mixture of FTP clients. What could be triggering this? Aug 11 10:24:50 ns1 ftpd[644]: FTP LOGIN FROM 209.23.33.114 [209.23.33.114] <SNIP> Aug 11 10:25:40 ns1 scanlogd: From 209.23.33.114 to 206.230.66.1 ports 3387, 23115, 19948, 42708, 10511, 56523, 33709, 50899, 24634, ..., flags ??r??u, TTL 117, started at 10:25:36 Mr. I. Network Engineer / Ops Manager Narellan (NorthEast) Inc.
Current thread:
- port scans from local workstation Infrastructure Dept. (Sep 13)
- <Possible follow-ups>
- port scans from local workstation Infrastructure Dept. (Sep 14)
- Re: port scans from local workstation Fernando Cardoso (Sep 14)
- Re: port scans from local workstation Bill Royds (Sep 14)