|
I have to admit, I've gotten a little lazy about reading through my firewall logs on my home machine every day, but today, I was looking back through my daily reports for the last 2 weeks and noticed a couple of odd port scans. I've been getting these scans from multiple IPs (2-4 of each per day) everyday for that period. I'll put up a netcat listener this evening to see if I can get some packets, but I was wondering if any of our loyal readers had any idea what is going on here? Based on some of the ports being scanned, I'm guessing they are looking for open proxies to use as relays among other things, but some of those ports are new to me. Has anyone else seen them or know what they are actually looking for? From aa.bb.cc.dd - 252 packets From ee.ff.gg.hh - 32 packets --------------- |
Jim 423 Posts ISC Handler Nov 24th 2010 |
| Thread locked Subscribe |
Nov 24th 2010 1 decade ago |
|
The 252 packet sample appears to be a search for standard remote access, web, and snmp ports. Normal noise. But was the second scan coming from IPs on a Chinese IP block? I see these port scan pattern all day long on various networks, particularly Comcast broadband networks, usually sourced from China, but occasionally from sites in Europe. Any chance the source port is 12200 or 6000?
|
Alan 57 Posts |
| Quote |
Nov 24th 2010 1 decade ago |
|
looks pretty ordinary as far as scans go - just snooping I'd say.
|
Chavez243 15 Posts |
| Quote |
Nov 24th 2010 1 decade ago |
|
I see such traffic all the day around.These are port scans from different IP's all around the world.Mainly from China,Brazil and Russia .The source port also include 11000 & 14000.I also see port horizontal & vertical scans on port 1433(SQL) & 10000(Vertias remote backup).The best way is to block these IP's at border router so that they do not even reach the firewall for a period of around 30 days.
|
hcbhatt 14 Posts |
| Quote |
Nov 24th 2010 1 decade ago |
|
Yup, many of the source ports are 12200
|
Jim 423 Posts ISC Handler |
| Quote |
Nov 24th 2010 1 decade ago |
|
Yeah, I am mostly just wondering what they were looking for on, for example, tcp 73, tcp 2301, or tcp 40080. Are those standard proxy ports? I also thought the SNMP along with the remote access was an odd combination.
|
Jim 423 Posts ISC Handler |
| Quote |
Nov 24th 2010 1 decade ago |
|
I don't believe they're typically used. If I remember, I've seen 2301 and 40080 in reference to network gaming ports.
|
Jim 1 Posts |
| Quote |
Nov 25th 2010 1 decade ago |
|
Those scans propably looking for open proxies, different servers (tomcat,sql etc. control panel ports), voip and some other stuff like that.
That I see everyday in all my webservers. Also I check what google said about that 12200 sourceport and found one interesting line from one discussion board: "I guess it may be possible that someone is using ghostsurf to attempt to use someone else's ghostsurf open proxy installation as part of a multilayer proxy." So maybe just normal scanning all around. |
Jillian 2 Posts |
| Quote |
Nov 25th 2010 1 decade ago |
|
Source port 12200 is definitely Ghostsurf but seems to have load balancing capabilities too. My firewall was getting pummeled from China on that port...destination ports were almost always the usual remote access ports you showed Jim. Those who say China isn't up to something is seriously nuts.
|
HackDefendr 65 Posts |
| Quote |
Nov 25th 2010 1 decade ago |
|
Agreed. Even though the government of China certainly isn't behind all of it, or probably even much of it, they still run all external traffic through the Great Firewall of China. At a minimum I'm sure they're passively logging all attacks going outbound, logging whether they were successful and building a catalog of vulnerable systems for possible future use.
Just like other governments around the world are doing.  |
Anonymous |
| Quote |
Nov 25th 2010 1 decade ago |
|
3389 is Windows RDP and 5900 is default for VNC.
|
Anonymous |
| Quote |
Nov 25th 2010 1 decade ago |
|
Yup, and 3128 is the default for the Squid web proxy
|
Jim 423 Posts ISC Handler |
| Quote |
Nov 26th 2010 1 decade ago |
|
TCP 73 is used by net remote job service
TCP 2301 is used by HP Compaq remote diagnostic management tool TCP 40080 is apparently used by Mercury Messenger and webcam Draw your own conclusions, but IP blocking is relatively ineffective. When you block by IP or even subnet, the attacks/probes move to another source subnet within a matter of hours in most cases. Nor are all sourced from China, I've seen them from Scotland, Gr. Britain, France, Romania, and even the US, however the vast majority (98 percent or better) are sourced from China. But the fact that there are sources outside of China indicates a wider network of attack sources or a tool distributed to multiple parties. |
Alan 57 Posts |
| Quote |
Nov 27th 2010 1 decade ago |
|
IP blocking is relatively ineffective, I agree. I have stopped attacks against FTP sites by blocking whole countries IP ranges. After reading this I came up with an idea. For home networks, what harm could there be in blocking all countries except for the one you are actually in? How much of your home Internet browsing is global?
It's a concept I've been thinking about for a while. Home firewalls/routers that come locked down forcing the user to open up only what they need. A simple setup question, what country are you in? Microsoft did a similar thing with their servers a while ago and it did help. There are far less mis-configured IIS servers running today than there used to be. |
RobM 14 Posts |
| Quote |
Nov 29th 2010 1 decade ago |
|
For a home network you might want to also block all of the fine web hosting firms in the US and offshore. Chances of breaking things - on a home network - by redirecting packets (to your choice of $foo) originating on SRC port 12200 are minimal. If that's something that interests you :)
|
RobM 3 Posts |
| Quote |
Dec 1st 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
