Port Scans [Archive] - Glock Talk

PDA

View Full Version : Port Scans


GlockerMike
11-09-2010, 19:10
My firewall popped up a warning while browsing the forums here. Pretty weird, the IP belongs to Internet Brands, the makers of the forum software vBulletin, that's used here. Maybe they scan for hacked copies of their software? But why would they scan a 'client's' machine? I'm a user, not a host.

From the log.....

7:00:51 PM
67.201.17.239
Host blocked for 5 min
SCAN (21500, 21244, 20988, 20732, 22524, 22268, 22012)

kc8ykd
11-09-2010, 23:36
most likely, whatever scanned you scanned the /20 or more that you're in for those ports. whose are pretty high level ports, and they don't match any standard well known ports, so i'd assume whatever it was, was looking for an hacked machine, looking to give it commands maybe.

i would guess internet brands hosts a fair number of machines, i didn't take the time to nmap their 2 /24's that are swipped to them..

i would guess they have a server, or more likely a virtual server that may be compromised and looking for other similar hosts.

it's quite interesting you saw such a direct action, do you have a hardware firewall or router between your computer and your internet connection?

GlockerMike
11-10-2010, 03:39
..... it's quite interesting you saw such a direct action, do you have a hardware firewall or router between your computer and your internet connection?
Yeah, I've got a linksys router hooked up. I also use Outpost Pro because I got free lifetime updates when I bought it cheap many years ago. And Nod32 thrown in for good measure. I didn't use any of it until I got my new box with 12gb memory, so I put 'em back on. :supergrin:

kc8ykd
11-10-2010, 13:17
well, that's quite unusual then..

what model of linksys are you using?

i'm assuming you're using non-routable ip's on your local network (linksys does that out of the box, so i'd consider it a fairly safe assumption, unless it's something you changed). if that's the case, the portscans you saw may indicate an infection of some sort on your machine. it also could indicate something else on your local network was trying to scan your machine using spoofed ip addresses, or, if you've got wireless, a possible unauthorized user.

basically, the internet doesn't know about or have any way to address your computer specifically unless you initiate a connection from it to someplace the internet through your firewall first, since (i'm assuming) your local ip addresses aren't routable.

(unless you have some static port translations setup on your router, which you may if you use torrents, even then, it would probably be only be a singular mapping)

so, with the firewall in place, a potential attacker may try and scan your router/firewall's ip address at random and the router would respond by dropping the packets (similar to a 'i don't know who that traffic is intended for, so i'm going to discard it') since the router/firewall doesn't have a record in it's nat table of your computer initiating any outbound connections on those ports.

i would assume the firewall software you're using probably checks inbound connections and tries to match them against prior outbound connections and that was how it determined the connections were a threat. but, i'm not familiar with Outpost Pro.

thus, another possibility is that Outpost is misreporting the thwarted alleged threat, for whatever reason (maybe to encourage an upgrade to a newer version, who knows).

GlockerMike
11-10-2010, 13:28
well, that's quite unusual then..

what model of linksys are you using?
Linksys WRT54GS with wireless.

i'm assuming you're using non-routable ip's on your local network (linksys does that out of the box, so i'd consider it a fairly safe assumption, unless it's something you changed). if that's the case, the portscans you saw may indicate an infection of some sort on your machine. it also could indicate something else on your local network was trying to scan your machine using spoofed ip addresses, or, if you've got wireless, a possible unauthorized user.I haven't changed anything on it. I'm using WPA2 +AES and a strong password and the MAC filter allowing only my 2 machines. Clients table shows only my 2 machines.

I snipped the rest because it gave me a headache trying to understand. :supergrin:

But thanks for explaining all of that.

kc8ykd
11-10-2010, 13:47
no worries :)

the wrt54gs is a nice router/firewall. i use one myself, as an access point actually.

the way that router runs, is exactly as i assumed earlier,

the router won't allow random traffic from the internet side through to your private network (without a static mapping, something you would have to setup manually).

the only traffic allowed from the internet to your network is traffic that is in response to something, something on your internal network initiated. for example, you request a web page and the web server responds with the page, that's legit inbound traffic in the eyes of your router. some random device on the internet just stopping in to say hi, isn't, and wouldn't be allowed through your linksys.

think of your linksys as a really pissy doorman to your house. who's favorite response to unsolicited visitors is 'don't call us, we'll call you'. unless you decide to open the door and talk to someone, nobody can pass through the door an into your house. but, your linksys tracks your conversations to see when they start and when they finish, so someone on the outside can't just say 'hey, i've got an appointment, let me in...' and get through.

it's good you're running WPA2 for wireless, i would discount an unauthorized user on that as being the source at this point because of that.

so, we're left with a possible infection on the machine (rootkit, or some other unknown virus or worm), or that the software firewall is making it up..

Linux3
11-12-2010, 08:08
Check your real port settings.
Go to shieldsup!:
https://www.grc.com/x/ne.dll?bh0bkyd2
Click on 'Proceed'.
Click on "All Service Ports"

You want to see nothing but green.

kc8ykd
11-12-2010, 13:20
the scan by that website will be stopped by the linksys that's in place, sans any static port mappings.

it's a great site/utility if you've got a machine just sitting out there without a hardware firewall or router running nat/pat, but a firewall/router will stop that scan since the external traffic to the ports weren't initiated from the internal network (the single port 80 request won't trigger access to everything else, just to whatever the return port is mapped to in the nat table).

GlockerMike
11-12-2010, 14:07
Yeah, all green lights on that scan.

kc8ykd
11-12-2010, 16:04
to quote When a Stranger Calls, "the calls are coming from inside the house..."

the portscans your software firewall product 'detected' couldn't have originated outside of your private network based on the results of your test.

personally, i'd suspect the software firewall as being the culprit itself, assuming you've checked the other devices on your network for problems and they've come back clean.