Portscan help

Portscan help

Post by r.. » Fri, 07 May 1999 04:00:00



Hi:

I need help determining what ports are being scanned
on my machine. Over the last 4 months, I received more
than 1000 dubious packets, summarized below. The most
popular one is a TCP connection to port 2001. I can find
no reference whatsoever to this port in past posts to
this group. Can someone help me out by telling me what
this port is? Is it something I should be reporting or
is it `innocent'?

Rich.

Most popular ports scanned:
    977 tcp 192.168.22.14:2001
    226 tcp 192.168.22.14:23            telnet
     86 tcp 192.168.22.14:2121
     85 tcp 192.168.22.14:1080          web proxy servers?
     35 tcp 192.168.22.14:6667          IRC?
     24 udp 193.63.255.4:111            some Windoze thing?
     24 tcp 212.228.121.204:25          smtp
     23 tcp 192.168.22.14:5500
     22 udp 192.168.22.14:31337         BackOrifice
      8 tcp 192.168.22.14:12345
      7 udp 202.12.27.33:53             DNS
      7 udp 198.41.0.4:53
      7 udp 198.32.64.12:53
      7 udp 192.36.148.17:53
      7 udp 128.8.10.90:53
      6 icmp 207.25.71.9:0
      5 udp 192.112.36.4:53
      4 udp 198.41.0.10:53
      4 tcp 192.168.22.14:5108
      4 tcp 192.168.22.14:5107
      4 tcp 192.168.22.14:3128
      3 udp 193.0.14.129:53
      3 udp 192.5.5.241:53
      3 udp 192.33.4.12:53
      3 udp 192.203.230.10:53
      3 udp 192.168.22.14:137
      3 udp 128.9.0.107:53
      3 udp 128.63.2.53:53
      1 udp 192.168.22.15:31337
      1 udp 192.168.22.12:31337
      1 tcp 192.168.22.14:79
      1 tcp 192.168.22.14:53
      1 tcp 192.168.22.14:139

--

+44 171 384 6917         Unit 2 Piper Centre Premier European email service
http://www.annexia.org   50 Carnwath Road    Original message content
                         London              Copyright ? 1999 Richard Jones

 
 
 

Portscan help

Post by pheni » Sat, 08 May 1999 04:00:00


Hi everybody,

From RFC1700 Assigned numbers


$Hi:
$
$I need help determining what ports are being scanned
$on my machine. Over the last 4 months, I received more
$than 1000 dubious packets, summarized below. The most
$popular one is a TCP connection to port 2001. I can find
$no reference whatsoever to this port in past posts to
$this group. Can someone help me out by telling me what
$this port is? Is it something I should be reporting or
$is it `innocent'?
$
$Rich.
$
$Most popular ports scanned:
$    977 tcp 192.168.22.14:2001
Port 2001/tcp is dc port :))) i don't know exactly what it is :))
$    226 tcp 192.168.22.14:23           telnet
OK
$     86 tcp 192.168.22.14:2121
Not defined
$     85 tcp 192.168.22.14:1080         web proxy servers?
socks ??
$     35 tcp 192.168.22.14:6667         IRC?
Yes but not as an assigned number
$     24 udp 193.63.255.4:111           some Windoze thing?
====> SUN rpc remote procedure call
$     24 tcp 212.228.121.204:25         smtp
OK
$     23 tcp 192.168.22.14:5500
Not defined
$     22 udp 192.168.22.14:31337                BackOrifice
OF course
$      8 tcp 192.168.22.14:12345
an other back orrifice or netbus
$      7 udp 202.12.27.33:53            DNS
$      7 udp 198.41.0.4:53
$      7 udp 198.32.64.12:53
$      7 udp 192.36.148.17:53
$      7 udp 128.8.10.90:53
DNS used
$      6 icmp 207.25.71.9:0
0 ??? reserved but nothing about it
$      5 udp 192.112.36.4:53
$      4 udp 198.41.0.10:53
DNS used
$      4 tcp 192.168.22.14:5108
$      4 tcp 192.168.22.14:5107
????
$      4 tcp 192.168.22.14:3128
Nothing defined
$      3 udp 193.0.14.129:53
$      3 udp 192.5.5.241:53
$      3 udp 192.33.4.12:53
$      3 udp 192.203.230.10:53
DNS used
$      3 udp 192.168.22.14:137
Netbios name sevice
$      3 udp 128.9.0.107:53
$      3 udp 128.63.2.53:53
DNS
$      1 udp 192.168.22.15:31337
$      1 udp 192.168.22.12:31337
BO
$      1 tcp 192.168.22.14:79
finger
$      1 tcp 192.168.22.14:53DNS
$      1 tcp 192.168.22.14:139
netbios session service
$
$--

$+44 171 384 6917         Unit 2 Piper Centre Premier European email service
$http://www.annexia.org   50 Carnwath Road    Original message content
$                         London              Copyright ? 1999 Richard Jones
Ok

I supposed you used unix :))

the port were defined in /etc/services see if this ports exists on
your servers, it's the first thinks to do :)))

Backoriffice, netbus or netbios :)) not important on unix system :)))

telnet, smtp, dns, rpc ==> i don't no exactly, not sure in 99% newbies
hack

2001 ==> i don't know, someone with more information

Cdlt

Eric Diologeant

http://perso.club-internet.fr/phenix1



On ne voit bien qu'avec le coeur.
L'essentiel est invisible pour les yeux.

               Antoine de Saint-Exupry

 
 
 

Portscan help

Post by r.. » Sat, 08 May 1999 04:00:00


: Hi everybody,

: From RFC1700 Assigned numbers

I just want to make myself a bit clearer. I'm of
course fully aware of the IANA and /etc/services.
However, these *do not* cover many of the ports
that my machines are attacked on. Presumably the
authors of NetBus and other trojans didn't bother
to register their port numbers :-) I'm particularly
interested in tcp port 2001 which is `dc' in the
IANA table -- whatever dc is -- but why would people
attack this port so frequently?

Rich.

--

+44 171 384 6917         Unit 2 Piper Centre Premier European email service
http://www.annexia.org   50 Carnwath Road    Original message content
                         London              Copyright ? 1999 Richard Jones

 
 
 

Portscan help

Post by Jerom » Sat, 08 May 1999 04:00:00


Quote:>tcp port 2001 which is `dc' in the
>IANA table -- whatever dc is -- but why would people
>attack this port so frequently?

It might just not be an attack, but a misconfigured software running on
whatever host, and trying to contact 'something' perfectly legal, but to the
wrong IP... it is just too badly coded to check for errors...

Jerome.

 
 
 

Portscan help

Post by Ewald Wassche » Sun, 09 May 1999 04:00:00



> >tcp port 2001 which is `dc' in the
> >IANA table -- whatever dc is -- but why would people
> >attack this port so frequently?

This port is I believe used by ICQ. If your host is a masquerading
firewall and one of the users on the internal network is using ICQ
without a proxy or something you could see these connection attempts
when someone is trying to initiate a connection to the ICQ user on your
internal subnet.

Quote:

> It might just not be an attack, but a misconfigured software running on
> whatever host, and trying to contact 'something' perfectly legal, but to the
> wrong IP... it is just too badly coded to check for errors...

Yep, if what I described is the case, you could take a look at the
ICQ-firewall page:

http://www.icq.com/firewall/

When you're using linux you should absolutely have a look at the
ip_masq_icq module (you'll find it at freshmeat.net), it's great!

Ewald

 
 
 

Portscan help

Post by KAbraha4 » Mon, 10 May 1999 04:00:00


>Subject: Re: Portscan help + socks 2001

>Date: 5/7/99 8:56 AM Pacific Daylight Time

>>tcp port 2001 which is `dc' in the
>>IANA table -- whatever dc is -- but why would people
>>attack this port so frequently?

>It might just not be an attack, but a misconfigured software running on
>whatever host, and trying to contact 'something' perfectly legal, but to the
>wrong IP... it is just too badly coded to check for errors...

>Jerome.

We use print spooler software which communicates to a terminal server at ports
2001-2016 and 4001-4016. Undoubtedly there are other products which do the
same. I'm not positive but some how I seem to remember that ports above 2000
are not reserved but available for 'general use'. Feel free to update me on
this if others have more recent information.
ken
 
 
 

1. Detect/Alert portscan HELP!!!!

Hi there,

I set up my linux box (SUSE 6.1) beeing my PPP-Server to the internet.
To provide some sort of security I use IPCHAINS to block any unwanted
intrusions.
After letting all ports I need to the box I deny anything else.
I would like to have my linux box alert me, if e.g. somebody portscans my
box or uses
a port explicitly DENIED in IPCAHAINS.
Of course I can see anything in /var/log/messages but I was thinking of
something like
a mail to root etc.

Anybody have an idea ?

Thanks

Dave

--------------
To mailme, remove NOSPAM in email address.

2. newbie q:QT compile error - please help!!

3. a simple portscan kills important processes

4. What does MAP_EXECUTABLE do?

5. Hacker portscan - Why mountd and pcnfsd?

6. TRS-80-Model100 termcap entry

7. Web portscan

8. strace

9. Daily comparison portscans

10. Need program to detect outgoing portscans from my network

11. detect portscanning !

12. Logging Portscans & connections.

13. Web portscan