Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: New port being scanned

  1. #11
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Maybe its that new worm ....

    http://securityresponse.symantec.com...32.setclo.html

    It trys to copy itself to open network shares...
    And we all know how many open boxes there are out there

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #12
    Junior Member
    Join Date
    Sep 2004
    Posts
    12

    whois

    I went over my logs and looked at the eight enteries over the last two days. One is from New Jersey, one from Asia, and the other six are from the RIPE network in Amsterdam. I guess I am going to have to go back through and look over these enteries a little more closely.

    For your enjoyment here are those eight enteries.

    [11/30/2004 13:05:08.58] Blocked - Port Scan Attack - src_ip=193.255.230.36:2963 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 21:52:13.62] Blocked - Port Scan Attack - src_ip=217.81.156.141:3339 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 19:51:57.62] Blocked - Port Scan Attack - src_ip=24.131.60.255:1143 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 12:02:17.11] Blocked - Port Scan Attack - src_ip=217.208.185.22:2788 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 14:02:32.31] Blocked - Port Scan Attack - src_ip=82.252.239.226:3204 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 15:50:08.76] Blocked - Port Scan Attack - src_ip=81.51.238.63:3544 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 06:00:09.37] Blocked - Port Scan Attack - src_ip=140.117.64.171:4582 - dst_ip=000.000.000.000:34956 - TCP
    [11/29/2004 08:01:41.96] Blocked - Port Scan Attack - src_ip=85.64.171.158:4864 - dst_ip=000.000.000.000:34956 - TCP


    Happy hunting.

    Merlin775
    The only consistant thing about me is my lack of consistancy

  3. #13
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    i tried tracing those IP'S three of them turn out to be from netherlands.i had similar problem a month back someone from netherlands tried to connect to one of my system ports but most interestingly my internet connetion is a non tax paid i mean it is illegal no global ip address i am connected to internet through a LAN still whoever it was he was able to get my IP address and tried to connect to some port number(don't remember).

    Merlin775 have you been using any security scanners or port scanner or any related tools recently?
    nobody is perfect i am nobody

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    nc -L -p34956 >>listen.txt

    start a netcat server listening on that port, open the fw to it...and see what you get!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #15
    Junior Member
    Join Date
    Sep 2004
    Posts
    12

    Recently

    I have not been running any scanners or anything of the sort recently. Work is simply to busy right now to do the extra fun things on our servers.

    Tebob - You lost me so I am going to have to spend some time looking up what you posted. Any newbie advice for your post would be appreciated.

    Merlin775

    [-edit-]
    I just found the PR Parser tool in windows. How does it rate for doing what I am asking? Further, I just read the tutorial on here that mentions netcat and was wondering. If I open this port on my firewall to find out what this connection is doing then aren't I opening my system to this? Meaning I am now unprotected and in danger of system problems.

    This is a first for me so all advice is appreciated.
    The only consistant thing about me is my lack of consistancy

  6. #16
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I recently left a box kinda "lying around" out there with ethereal running to see what I got.... Seehere.

    Having been a bit busy since starting this I have to say I noted a lot of connection attempts in the 34xxx range, (the details elude me right now and my work box is being er.... fixed....), so I can't be precise but it was a range up there a few days ago. My firewall logs were confirming this too.

    Just a note to add.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #17
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    http://www.securityfocus.com/tools/139/scoreit

    very simply put netcat is a command line utility that can be made to send too or listen on any port.

    started like this "nc -L -p34956 >>listen.txt" it will listen on port 34956 and redirect its output (which is anything thats sent to it) to a text file called listen.txt so any attempts to log-on or commands sent to it will be recorded.

    with the amount of info im finding about the use of this port ...if your really curious this might be the only way to find out anything.

    it could be a port used by a warez ftp server. warez gangs are always looking for the other gangs servers. but it really could be anything.

    just saw your addition. i dont really feel this would be a threat to security. its not like your opening a shell. all that can be done to netcat is to crash it with a flood of info and then the ports not open any more. now if you set netcat up to start cmd.exe when a connection is made then you have problems.

    i like tiger sharks idea...gonna look into that!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #18
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    Merlin775 can you search your computer for sysman32.exe
    nobody is perfect i am nobody

  9. #19
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by morganlefay
    Maybe its that new worm ....

    http://securityresponse.symantec.com...32.setclo.html
    New?!? Discovery date is 21st of june.......

    http://vil.nai.com/vil/content/v_126342.htm


    It trys to copy itself to open network shares...
    Therefor it would use ports 135-139 and/or 445, not port 34956.
    There's no mention of a backdoor being installed by this worm.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #20
    Junior Member
    Join Date
    Sep 2004
    Posts
    12
    littlenick >> No, I don't have any copies of that file on my servers.

    Tedob1 >> Thanks for the answer, I am reading your tutorials now. I also like Tiger Shark's idea and am going to look into that. I could take one of our old machines that are no longer in use and place it outside the firewall. I like that idea a lot actually.

    I have a lot of 3xxxx range hits on my wall. Our e-mail service provider uses a host that tries to connect in that range to run a connection optimization program of their design. However that always runs on one of three IP address so they are easy to distinguish.

    Merlin775
    The only consistant thing about me is my lack of consistancy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •