Security Incidents mailing list archives
RE: Unusual port scan?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Sun, 28 Dec 2003 23:01:12 -0500
There is a web server responding to port 80 on the 'attacking machine'. Are you sure this isn't a response to something from your machine? You said you didn't have a browser open but how about an e-mail client that processes HTML pages? Or perhaps some application that pulls in updates over port 80. Does your router give you any additional information like flags? If it does, you might find that the flags indicate that it's a response to a SYN from your machine. You might also put a sniffer on the network just to see if this is part of a legitimate connection attempt. -----Original Message----- From: J Bailes [mailto:jonas2 () knology net] Sent: Sunday, December 28, 2003 5:59 PM To: incidents () securityfocus com Subject: Unusual port scan? My router logs on my personal/home machine just started receiving with these scans: 12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802 12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800 The scans supposedly came from: [Query: 81.52.250.105, Server: whois.ripe.net] % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 81.52.248.0 - 81.52.250.127 netname: AKAMAI-FT-US descr: Akamai Technologies - US machines connected to FT AS5511 country: US admin-c: NARA1-RIPE tech-c: NARA1-RIPE tech-c: NF1714-RIPE status: ASSIGNED PA mnt-by: FT-BRX changed: gestionip.ft () francetelecom com 20030321 source: RIPE route: 81.52.240.0/20 descr: France Telecom descr: Opentransit origin: AS5511 mnt-by: FT-BRX changed: gestionip.ft () francetelecom com 20030214 source: RIPE role: Network Architecture Role Account address: Akamai Technologies address: 500 Technology Square address: Cambridge, MA 02139 phone: +1-617-250-4768 e-mail: ip-admin () akamai com admin-c: NF1714-RIPE admin-c: JP1944-RIPE tech-c: NF1714-RIPE tech-c: JP1944-RIPE nic-hdl: NARA1-RIPE notify: ip-admin () akamai com changed: ip-admin () akamai com 20021025 source: RIPE person: Noam Freedman address: Akamai Technologies address: 500 Technology Sq address: Cambridge, MA 02139 phone: +1 617 250 4768 e-mail: noam () akamai com nic-hdl: NF1714-RIPE notify: noam () akamai com changed: noam () akamai com 20021025 source: RIPE [End of Data] The scan seems to be looking for: ansys-lm - ANSYS-License manager for port 1800 concomp1 - ConComp1 for port 1802 According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be scan for an open proxy used for SSH? I dunno. I'm not familiar with these services (nor am I running them). I did not have any browser windows open at the time of the scan. So, out of nowhere, why would an Akamai box scan me for these services? Is anybody else getting this kind of traffic? ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)