Page 3 of 3 FirstFirst 123
Results 21 to 22 of 22

Thread: Port Scan Attack

  1. #21
    Member
    Join Date
    Sep 2005
    Posts
    77
    Here are a few ideas with the info given thus far:

    Aside from someone manually running port scans against you, (which is unlikely if its happening every day) you will commonly receive scans from machines that are infected with worms. They often run ping sweeps across large IP ranges looking for a response back. If they get a response back, they will sometimes run port sweeps against your IP looking for services that are running. If certain services appear to be open, it might attemp to exploit the service. All of this done autonomously of course.... scary huh?

    On another note, if the scan originated from an internal IP, it might be something as simple as Yahoo messenger.... or some other messenger for the matter. Crafty programs attempt to subvert firewalls by seeing what ports you have open. Sometimes problematic in a corporation that tries to filter IM'ing.

    Similar to what Mystery Man said... If you ever ran P2P File sharing programs like Bearshare, or eDonkey, and then quit/uninstalled it, you may see P2P servers/Supernodes running scans against you or certain IP ranges looking for active P2P clients... but this is usually targetted against specific ports rather than a large range. I commonly see ping sweeps against ports 6346-6348 (Gnutella ports).

    And as ech0 stated... find out where it is originating from. It MIGHT shed some light on the subject. I like using D-shield. A web based 'WhoIs' which also lets you know if there are many negative reports against that IP (great for determining false positive behavior). www.dshield.org/ipinfo.php
    Scans from China often are MSSQL worm propogation. Scans from Moracco & Turkey seemingly are often after compromising/defacing web pages.... (sorry if I am stereotyping - no offense meant to any of those countries) ; ) The hostname belonging to the IP may give you quite a bit of info.... whether or not its a cable/dsl user, a server (and maybe what type of server), if it comes from a specific website... or ad-server.

    Either way... good luck!

    %42%75%75%75%75%72%70%21%00

  2. #22
    Member
    Join Date
    Sep 2005
    Posts
    77
    Here are a few ideas with the info given thus far:

    Aside from someone manually running port scans against you, (which is unlikely if its happening every day) you will commonly receive scans from machines that are infected with worms. They often run ping sweeps across large IP ranges looking for a response back. If they get a response back, they will sometimes run port sweeps against your IP looking for services that are running. If certain services appear to be open, it might attemp to exploit the service. All of this done autonomously of course.... scary huh?

    On another note, if the scan originated from an internal IP, it might be something as simple as Yahoo messenger.... or some other messenger for the matter. Crafty programs attempt to subvert firewalls by seeing what ports you have open. Sometimes problematic in a corporation that tries to filter IM'ing.

    Similar to what Mystery Man said... If you ever ran P2P File sharing programs like Bearshare, or eDonkey, and then quit/uninstalled it, you may see P2P servers/Supernodes running scans against you or certain IP ranges looking for active P2P clients... but this is usually targetted against specific ports rather than a large range. I commonly see ping sweeps against ports 6346-6348 (Gnutella ports).

    And as ech0 stated... find out where it is originating from. It MIGHT shed some light on the subject. I like using D-shield. A web based 'WhoIs' which also lets you know if there are many negative reports against that IP (great for determining false positive behavior). www.dshield.org/ipinfo.php
    Scans from China often are MSSQL worm propogation. Scans from Moracco & Turkey seemingly are often after compromising/defacing web pages.... (sorry if I am stereotyping - no offense meant to any of those countries) ; ) The hostname belonging to the IP may give you quite a bit of info.... whether or not its a cable/dsl user, a server (and maybe what type of server), if it comes from a specific website... or ad-server.

    Either way... good luck!

    %42%75%75%75%75%72%70%21%00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •