-
June 8th, 2004, 03:18 PM
#1
Strange Port Scan
My SonicWALL's showing some strange activity that's started repeating daily since around last week. Every day, I get a series of alerts within the same time frame. I have port scans coming in from 64.94.110.12, which takes you to the Verisign website if you enter it into your web browser. During that same time frame, I'm receiving fraudulent Microsoft Certificates from the same IP that are being blocked by the firewall.
So what's up with this?
-
June 8th, 2004, 03:35 PM
#2
Block the IP. And the reason you get the Verizon website (I believe) is because that's the person's provider/ISP. Also, what port is being probed?
-
June 8th, 2004, 03:41 PM
#3
An infected CRL server? Is the port scan from this server at regular times each day? Sounds like it might be a worm. Might want to remove their IP as they could be innocent of the activity and might want to notify Verisign of this (as a courtesy)
-
June 8th, 2004, 04:59 PM
#4
Is this related to your query in this thread AngelicKnight?
If so,and the port numbers're the same..hmm..interesting..I wonder why Verisign would portscan you..and why only those ports?If Versign were 0wn3d(worst case scenario),wouldnt the attacker be scanning you all over rather than just those particular ports?And I'm not too aware of any vulnerability for those ports either so it makes me think that Verisign's behind it and the intent isnt malicious
EDIT:Oops,forgot to post the damned thread lol,here it is:http://www.antionline.com/showthread...696#post753696
-
June 8th, 2004, 05:04 PM
#5
Yep Renegade, it is directly related to the other thread I started. It's been a week or so since that thread was active, so I couldn't find the dang thing to continue with it and had to start a new one.
Ports scanned are: 1183, 1184, 1185, 1186, 1187, 1105, 1104, 1106, 1107 and 1108.
-
June 8th, 2004, 05:16 PM
#6
Angelic, your router/fw is disabled for icmp redirect and source-route frames, right? maybe its an ip spoof attack
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 8th, 2004, 05:19 PM
#7
your not using a P2P software such as LimeWire are you? I noticed weird patterns when I started block IPs on Ports and then realized these hits were individuals sharing files via P2P.
-
June 8th, 2004, 07:23 PM
#8
caco -- I have yet to find any such settings, so they shouldn't be active.
CT -- No P2P stuff.
-
June 8th, 2004, 07:36 PM
#9
If Im correct, attacker is using verisign ip address (that is suppose to be thrustfull) and redirecting your response to "his" computer.
Usually all fw have protection against this kind of attack. But im not sure about Sonic.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 8th, 2004, 07:52 PM
#10
IP spoofing?I dont think so cacosapo,it'd again mean that Verisign had been 0wn3d of sorts or was subject to a dDos attack of some kind,which brings us back to the simple point of...if someone were to mess with a reputed company like Verisign just to attack AngelicKnight(no offense meant here mate),he'd be mighty stupid..daring,,and just plain DUMB..why not just attack a smaller network and use it instead?which makes me think that the scan's being conducted by Verisign
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|