Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Port 13139

  1. #11
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    tcpdump is a good one. Ethereal is another good one.

    Have you considered a NIDS like snort?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #12
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I've thougt about it before but have never really had the time. I think that I'm gonna go ahead and download it today though.

    Thanks for all the help.
    =

  3. #13
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    If you need help with snort there are lots of users around here that have used it. I believe that there is a short tut in one of the AO newsletters and somewhere in the tutorials as well. Also, they have extensive documentation on installing snort on your flavour of OS.

    I recently upgraded my NIDS from Snort 2.0 to 2.0.1. But haven't turned it back on due to the blackout issues.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #14
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I finally got my linux system running, so I fired up nmap and scanned the IP address thats been scanning me.

    I used the -sS and -O options.

    Heres what nmap found

    Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-16 22:03 BST
    Interesting ports on dns-lax.centurytel.net (207.xxx.xxx.xxx):
    (The 1627 ports scanned but not shown below are in state: closed)
    Port State Service
    7/tcp open echo
    9/tcp open discard
    13/tcp open daytime
    19/tcp open chargen
    21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    37/tcp open time
    53/tcp open domain
    79/tcp open finger
    100/tcp open newacct
    512/tcp open exec
    513/tcp open login
    514/tcp open shell
    515/tcp open printer
    540/tcp open uucp
    7100/tcp open font-service
    Device type: general purpose
    Running: Sun Solaris 8
    OS details: Sun Solaris 8 early access beta through actual release
    Uptime 79.257 days (since Thu May 29 15:54:47 2003)

    Nmap run completed -- 1 IP address (1 host up) scanned in 48.810 seconds
    After a whois search with sam spade it seems that this is my ISP. But I'm still confused as to how they are portscanning me.

    I also did a portscan of my public IP. Heres the results from that

    Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-16 21:50 BST
    Interesting ports on pppoe-209-xxx-xxx-xxx.rb.spt.centurytel.net (209.xxx.xxx.xxx):
    (The 1642 ports scanned but not shown below are in state: closed)
    Port State Service
    80/tcp open http
    113/tcp filtered auth
    Device type: broadband router|WAP
    Running: Cnet embedded, Linksys embedded
    OS details: Cnet CNIG904B Internet Broadband Gateway firmware version 1.11, Linksys BEFW11S4 WAP or BEFSR41 router

    Nmap run completed -- 1 IP address (1 host up) scanned in 14.091 seconds
    I'm not to experienced with this part yet, so can anyone see anything strange from nmap scanning my Public IP or does it look ok?
    =

  5. #15
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Cheyenne, I forgot to mention earlier, your router may be performing a PAT as well as a NAT.
    Some routers support this feature. The way this works is the 1st PC on inside LAN gets
    statically NATTED and every subsequent PC will get PATTED with same public address
    along with a random port number .

    This will explain how it is possible of being scanned even though you have a private Ip address. Because your public address is always statically one-to-one natted to your private
    address (the 1st PC that goes out).

    Now Im not sure how or what you did when you yourself attempted to scan yourself from the outside and was unable to..

    I suggest just for shits and giggles to have someone (afriend whom you trust) to scan your router to verify for sure...Im very curious to know results...

    If you dont have a friend whom you trust,,,then you have a bigger problem,,,lol,,just kidding.
    You can try and sign up for any free dial up ISPs and test...

    As far as protocol analyzers. See the thread on sniffers for windows that is currently posted,,,
    Alot available out there..Ethereal, analogx, etc....

    My guess is that your router is performing a PAT as well as NAT and if you attempt to scan your rotuer again, you will find that you are able to..

    Good Luck...

  6. #16
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Heres what a friend found using Lan Guard Scanner

    NETBIOS discovery ...
    Done sending, waiting for responses ...
    SNMP discovery ...
    Community string : public
    Done sending, waiting for responses ...
    ICMP sweep ... (PING!)
    Done sending, waiting for responses ...
    Ready
    No computers found.
    Ready


    Heres what I found using Net Brute scanner on a dial up connection

    209.xxx.xxx.xxx # 25
    209.xxx.xxx.xxx # 80
    209.xxx.xxx.xxx # 81
    209.xxx.xxx.xxx # 82
    209.xxx.xxx.xxx # 83
    209.xxx.xxx.xxx # 110
    209.xxx.xxx.xxx # 119

    However, when I used another scanner it showed no ports for my connection.
    =

  7. #17
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    If you really want to put an end to this, turn on a "server" on your PC that was scanned.
    Do it temporarely and turn of personal firewall on PC.

    This could be http/80, telnet/23 or ftp/21 . Then try to connect from outside again as you did before with your friend but to one of the above applications...

    If you connect, then you're router is definitely natting...

    ex. if your public address is the 66.x.x.x and you have port 21 turned on your pc. FTP to 66.x.x.x from outside and see if you connect. Verify that you ftp to your PC and not your router..

    P.S.
    Your router could also be "buggy" which explains why sometimes you are able to scan and other times you are not..Very possible especially if your router is one of the off the beat shelf
    appliance routers (Linksys, etc...)

    You may want to entertain investing in a cisco 2501 serries router from ebay for about
    $100-150 . It will server you 2 purposes, one you have a stable IOS and two you will be on your way learning how to configure a real router that is used in professional industry to help your career in IT industry....

  8. #18
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I might try that cisco router.

    Thanks for the help.
    =

  9. #19
    THis thread has interested me, as I have had some similar happenings on my home network. In my Snort logs it will show a port scan, from a public IP, to my private IP 192.168.0.1. I have also noticed that some ICMP messages get to my computer as well. If somebody were to source route a scan would they be able to get traffic to my LAN?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •