Strange Port Scan
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Strange Port Scan

  1. #1

    Question Strange Port Scan

    My SonicWALL's showing some strange activity that's started repeating daily since around last week. Every day, I get a series of alerts within the same time frame. I have port scans coming in from 64.94.110.12, which takes you to the Verisign website if you enter it into your web browser. During that same time frame, I'm receiving fraudulent Microsoft Certificates from the same IP that are being blocked by the firewall.

    So what's up with this?

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Block the IP. And the reason you get the Verizon website (I believe) is because that's the person's provider/ISP. Also, what port is being probed?
    Space For Rent.. =]

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    An infected CRL server? Is the port scan from this server at regular times each day? Sounds like it might be a worm. Might want to remove their IP as they could be innocent of the activity and might want to notify Verisign of this (as a courtesy)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Is this related to your query in this thread AngelicKnight?
    If so,and the port numbers're the same..hmm..interesting..I wonder why Verisign would portscan you..and why only those ports?If Versign were 0wn3d(worst case scenario),wouldnt the attacker be scanning you all over rather than just those particular ports?And I'm not too aware of any vulnerability for those ports either so it makes me think that Verisign's behind it and the intent isnt malicious
    EDIT:Oops,forgot to post the damned thread lol,here it is:http://www.antionline.com/showthread...696#post753696

  5. #5
    Yep Renegade, it is directly related to the other thread I started. It's been a week or so since that thread was active, so I couldn't find the dang thing to continue with it and had to start a new one.

    Ports scanned are: 1183, 1184, 1185, 1186, 1187, 1105, 1104, 1106, 1107 and 1108.

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Angelic, your router/fw is disabled for icmp redirect and source-route frames, right? maybe its an ip spoof attack
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Posts
    100
    your not using a P2P software such as LimeWire are you? I noticed weird patterns when I started block IPs on Ports and then realized these hits were individuals sharing files via P2P.

  8. #8
    caco -- I have yet to find any such settings, so they shouldn't be active.

    CT -- No P2P stuff.

  9. #9
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    If Im correct, attacker is using verisign ip address (that is suppose to be thrustfull) and redirecting your response to "his" computer.
    Usually all fw have protection against this kind of attack. But im not sure about Sonic.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #10
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    IP spoofing?I dont think so cacosapo,it'd again mean that Verisign had been 0wn3d of sorts or was subject to a dDos attack of some kind,which brings us back to the simple point of...if someone were to mess with a reputed company like Verisign just to attack AngelicKnight(no offense meant here mate),he'd be mighty stupid..daring,,and just plain DUMB..why not just attack a smaller network and use it instead?which makes me think that the scan's being conducted by Verisign

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •