Security Incidents mailing list archives

RE: Unusual port scan?

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Sun, 28 Dec 2003 23:01:12 -0500

There is a web server responding to port 80 on the 'attacking machine'.
Are you sure this isn't a response to something from your machine?  You
said you didn't have a browser open but how about an e-mail client that
processes HTML pages?  Or perhaps some application that pulls in updates
over port 80.

Does your router give you any additional information like flags?  If it
does, you might find that the flags indicate that it's a response to a
SYN from your machine.  You might also put a sniffer on the network just
to see if this is part of a legitimate connection attempt.

-----Original Message-----
From: J Bailes [mailto:jonas2 () knology net] 
Sent: Sunday, December 28, 2003 5:59 PM
To: incidents () securityfocus com
Subject: Unusual port scan?




My router logs on my personal/home machine just started receiving with
these scans:

 

12/28/2003 13:05:44.133 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:04:50.236 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:04:42.705 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:04:16.067 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:04:11.991 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:58.982 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:56.639 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:50.440 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:48.958 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:46.164 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:45.112 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:44.031 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:43.199 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:42.428 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:42.238 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800

12/28/2003 13:03:42.168 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1802

12/28/2003 13:03:41.757 - 81.52.250.105 : 80 >>> xx.xxx.xxx.xxx : 1800





The scans supposedly came from:



[Query: 81.52.250.105, Server: whois.ripe.net]

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 81.52.248.0 - 81.52.250.127

netname: AKAMAI-FT-US

descr: Akamai Technologies - US machines connected to FT AS5511

country: US

admin-c: NARA1-RIPE

tech-c: NARA1-RIPE

tech-c: NF1714-RIPE

status: ASSIGNED PA

mnt-by: FT-BRX

changed: gestionip.ft () francetelecom com 20030321

source: RIPE

route: 81.52.240.0/20

descr: France Telecom

descr: Opentransit

origin: AS5511

mnt-by: FT-BRX

changed: gestionip.ft () francetelecom com 20030214

source: RIPE

role: Network Architecture Role Account

address: Akamai Technologies

address: 500 Technology Square

address: Cambridge, MA 02139

phone: +1-617-250-4768

e-mail: ip-admin () akamai com

admin-c: NF1714-RIPE

admin-c: JP1944-RIPE

tech-c: NF1714-RIPE

tech-c: JP1944-RIPE

nic-hdl: NARA1-RIPE

notify: ip-admin () akamai com

changed: ip-admin () akamai com 20021025

source: RIPE

person: Noam Freedman

address: Akamai Technologies

address: 500 Technology Sq

address: Cambridge, MA 02139

phone: +1 617 250 4768

e-mail: noam () akamai com

nic-hdl: NF1714-RIPE

notify: noam () akamai com

changed: noam () akamai com 20021025

source: RIPE

[End of Data]





The scan seems to be looking for:

ansys-lm - ANSYS-License manager for port 1800

concomp1 - ConComp1 for port 1802



According to this: http://aaron.boim.com/unix/sshTunnel.html , it may be
scan for an open proxy used for SSH? I dunno.



I'm not familiar with these services (nor am I running them).  I did not
have any browser windows open at the time of the scan.  So, out of
nowhere, why would an Akamai box scan me for these services?  Is anybody
else getting this kind of traffic?




------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Unusual port scan? J Bailes (Dec 28)
- Re: Unusual port scan? Eric Whitehill (Dec 29)
- RE: Unusual port scan? Bojan Zdrnja (Dec 29)
- RE: Unusual port scan? Jerry Shenk (Dec 29)
- Re: Unusual port scan? Patrick Kremer (Dec 29)
- Re: Unusual port scan? Ed Budd (Dec 29)
- <Possible follow-ups>
- RE: Unusual port scan? Hamish webhosting.net.nz (Dec 29)
- RE: Unusual port scan? J Bailes (Dec 30)