-
May 24th, 2003, 05:18 PM
#1
1026 gone wild!
This one has me kinda stumped. Port 1026 scanns are nothing new but this dude/dudette really has a passion for it. Here's a trimmed (to fit)portion on Tiny's log from around 9 last night (GMT -5) until 10:30 this morning. the rules are either named for IP ranges or ports i want to watch...i have no life.
20:57:19] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
21:00:27] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
21:02:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
21:05:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
21:06:51] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
22:22:31] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
22:24:47] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:24:50] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:24:56] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:25:23] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
22:27:59] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
22:30:21] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
22:32:09] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
22:34:14] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
22:54:14] Rule '17300': Permitted: In TCP, 172.150.165.186:4951->localhost:17300
23:23:28] Rule '17300': Permitted: In TCP, 68.116.204.164:1167->localhost:17300
23:31:51] Rule 'UUnet1 Not US': Blocked: In TCP, 61.85.191.46:4880->localhost:17300
23:45:53] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
23:45:55] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
00:26:40] Rule '17300': Permitted: In TCP, 172.175.26.23:3140->localhost:17300
01:22:18] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
01:25:08] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
01:27:44] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
01:30:07] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
01:31:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
01:34:01] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
01:38:07] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
01:38:08] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
01:41:36] Rule '218_222Block': Blocked: In TCP, 219.9.2.31:3806->localhost:17300
01:59:40] Rule '17300': Blocked: In TCP, 68.59.116.167:1547->localhost:17300
03:19:18] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:19:21] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:19:28] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:30:38] Rule '17300': Blocked: In TCP, 66.138.229.189:1221->localhost:17300
04:11:04] Rule '210_213Block': Blocked: In TCP, 211.49.112.12:3182->localhost:17300
04:22:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
04:24:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
04:27:33] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
04:29:55] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
04:31:45] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
04:33:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
04:47:38] Rule 'UUnet2 Not US': Blocked: In UDP, 62.147.243.224:28432->localhost:28431
05:02:24] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
05:02:28] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
05:58:14] Rule '17300': Blocked: In TCP, 66.136.147.176:1225->localhost:17300
06:44:11] Rule '17300': Blocked: In TCP, 68.37.86.102:3939->localhost:17300
06:44:14] Rule '17300': Blocked: In TCP, 68.37.86.102:3939]->localhost:17300
07:10:07] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:10:10] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:10:16] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:21:57] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
07:24:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
07:27:25] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
07:29:47] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
07:31:38] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
07:33:42] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
09:56:38] Rule '17300': Blocked: In TCP, 69.14.109.97:2265->localhost:17300
10:21:41] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
10:24:34] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:27:10] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:29:32] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
10:31:22] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:33:26] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
Notice 210.5.22.(plus one of these: 10, 11, 17, 18, 19, 20, 21, 22 , 23)
probes in groups of 5 or 6:
Start Used
20:57 (11, 23, 21, 18, 21, 17)
22:25 (21, 10, 23, 11, 17) <--only 5
01:22 (17, 18, 19, 20, 10, 18)
04:22 (22, 23, 19, 23, 21, 20)
07:21 (20, 22, 11, 18, 23, 22)
10:21 (18, 21, 21, 17, 21, 18)
Not one appears in all scans.
As im typing this a blocked 'time exceeded' (IGMP [11]) came in from 210.5.22.234
What's going on. Any guesses?
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
May 24th, 2003, 05:44 PM
#2
I am guessing you're running an application which is sending UDP packets out to those machines from local port 1026.
The 6 or so IP addresses are load-balanced and being used in a round-robin fashion?
Are you running any games, P2P or other such like? If so, quit for a few hours and see if the packets continue.
What is the contents of the datagrams? Have you looked?
Are any local applications bound to UDP port 1026 at the time of the incoming packets?
My guess is, this is not a scan. If it were a scan, it would try different ports.
-
May 24th, 2003, 06:11 PM
#3
although i haven't checked the packets for content im running no P2P and occasionally play freecell. there is nothing shown listening on 1026. I check when the warning pops up (Tiny)1025 mstask which is blocked and 1038 Iexplore are the only devices even close.
just got one:
Active Connections
Proto Local Address Foreign Address State
TCP mymach:2119 mymach:44334 TIME_WAIT
TCP mymach:2120 mymach:44334 ESTABLISHED
TCP mymach:44334 mymach:2120 ESTABLISHED
TCP mymach:1963 cache02.ns.uu.net:domain CLOSE_WAIT
TCP mymach:2118 pop.wlv.untd.com:pop3 TIME_WAIT
C:\>fport
FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
612 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1028 TCP
1084 IEXPLORE -> 1828 TCP C:\Program Files\Internet Explorer\IEXPLORE
.EXE
448 spade -> 1963 TCP C:\Program Files\Blighty Design\spade.exe
524 PFWADMIN -> 2120 TCP C:\Program Files\Tiny Personal Firewall\PFW
ADMIN.EXE
764 WinVNC -> 5800 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
764 WinVNC -> 5900 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
576 persfw -> 44334 TCP C:\Program Files\Tiny Personal Firewall\per
sfw.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
216 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
1084 IEXPLORE -> 1038 UDP C:\Program Files\Internet Explorer\IEXPLORE
.EXE
1076 MsgSys -> 38037 UDP C:\WINNT\System32\MsgSys.EXE
576 persfw -> 44334 UDP C:\Program Files\Tiny Personal Firewall\per
sfw.exe
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|