Port Scan Detected -- Now What?
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Port Scan Detected -- Now What?

  1. #1

    Port Scan Detected -- Now What?

    The SonicWALL on our DSL line reported the following activity:

    TCP scanned port list, 2745, 1025, 3127, 6129, 5000

    What do you guys make of this? What are these 5 ports for?

  2. #2
    5000 is Upnp, make sure thats disabled. Check out the shields up website for a tool to disable that. unplug and pray i think its called. You can find port listings everywhere, just google for them to see that the port scan possibly looked for. Then use Fport by foundstone to see if those services exist on your box, and open the ports that were scanned.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Get up veeeery slowly....... Move quietly to the kitchen, slide gently up to the fridge.... Try to open it without making a sound..... we don't want to scare the hacker off..... Reach in carefully and grab a bottle of beer firmly but gently by the neck. Extract it from the fridge and gently remove the cap, we don't want it to splash on the floor and scare the hacker.... Oh, remember to close the fridge..... the other beers will get warm..... Move quietly to the couch and sit down, turn on the TV.... The volume doesn't matter now, the hacker will think you are distracted.... Watch TV while drinking the beer until the bottle is empty..... Repeat process until done.... Go to bed.... sleep.... get up and get on with your life......

    Of course, if you don't have beer in the fridge you are screwed..... Reformat and start from scratch.........

    Relax... It's a portscan...... It's internet noise......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Normal activity of a worm. Possibly MyDoom or NetSky or Agobot or some other recent worm variant. I wouldn't worry about it since SonicWALL caught it.

    Port 2745 for backdoor left by the Bagle Virus
    Port 3127 for MyDoom.A backdoor
    Port 5000 for MS01-059 UPnP vulnerability
    Port 6129 for Dameware vulnerability (OSVDB ID: 3042)
    Port 1025 for MS03-032 vulnerability
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    Hey Knight,

    I posted a very similar thread, with I believe the same ports that you mentioned awile back. Check it out here. http://www.antionline.com/showthread...hreadid=255793

    Gah... MsM beat me to it, but I was gonna have a breakdown for you! Some of the things that I did are located in that other thread!

    If your firewall caught it, don't worry about it! If you'd like further security put an explicit block on the attacking machines mac address and silence it for good!

  6. #6
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings All:

    This is a great illustration of what I see as one of the major problems with information security today.

    Consultants, and those that make security architectures, seem to expect that everyone should become an information security expert.

    Why on earth do security software and hardware that was designed and marketed for home users spit out such logs? Do they expect home users to understand the significance of "ports" that are being "scanned", or even what the hell this strange "tcp" thing is to begin with? What on earth do they expect the home user to do after they read these messages?

    At the governmental and corporate levels, sure, you need very detailed and robust logging. But you also presumably have expert personnel in place that can understand those logs, and that can actually do something about them if needed.

    Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in. Understand that the firewall doesn't keep you 100% safe, but it keeps you safer than you were before you installed it.

    I think often times in the computing industry, we forget how intimidating the world of computers can be for those who aren't experts with them, but simply use them to facilitate things that they are experts with.

  7. #7
    Wow, do I ever feel special, MsM, Tiger, and JP responding to the same thread.

    Well, this is a small corporate setting, so it is important that I learn these things (which is why I'm posting here). You'd think having a fresh MIS degree (finally getting it Saturday!) that I should know this, but this is one thing the college courses never even touched base on (though I requested one of my professors to cover this), so I'm at a bit of a handicap. Which is why I'm here.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well, this is a small corporate setting
    Darn.... That means no beer I suppose......

    Seriously, if your firewall is set to block all incoming except essential services that you provide then you'll learn to ignore the "white noise" of the internet.... It's like crickets at night.... You learn to go to sleep despite them....

    Depending upon other systems you employ such as IDS you will be able to see the types of scanning/enumeration attempts that should attract your attention and let the rest go. More than 99% of all the "scanning" traffic is an automated worm of some type..... Very rarely is there an actual skiddie sat at a console controlling the whole event looking to steal your stuff.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Junior Member
    Join Date
    May 2004
    Posts
    17
    Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in. Understand that the firewall doesn't keep you 100% safe, but it keeps you safer than you were before you installed it.

    Just remember that years ago there was no such thing as anti-virus or firewalls and most people using a Windows Platform didn't even have at least a firewall installed BEFORE they put their computer on the Internet. Which already makes their system a highly hackers playground. Remember that Windows leaves file and print sharing open for starters. We're talking about the majority of Windows users here.

    trackit

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in.
    What?? First, I believe that AngelicKnight is referring to his businesses firewall. Second, the policy of "install and forget" isn't a good one. Users do this with anti-virus software which is why we see so many users infected with worm/viruses crying "but I have AV software installed". It needs to be checked regularly. That's reality. Even for firewalls. ZoneAlarm, as an example, was found to have some flaws and required updating. If people use a "install and forget" attitude, they will get complacent and will not pay attention to the little details.

    Firewalls have been around since the 1980s and anti-virus has been around since the late 80s/early 90s. The usage of 1) both of them on the same machine is relatively new 2) the concept that their computer has something WORTH protecting is new. It is the last point that has made it more critical for users to protect what they've got. In addition, I suspect that companies like Gateway and Dell, who are installing OSes with AV and firewalls, are probably helping. It doesn't solve, however, the on-going issue of users turning this off because it "slows the sytem down/interfers with my Internet access/asks me all these questions".

    We should encourage users to install and learn rather than forget, IMHO.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •