Port scanning

[jayclark]

Hi all, I have somebody scanning my ports about three times daily. In about 2 minute intervals. The ports that are scanned are 6129, 3127, 1025 and 2745, 80. What are these ports used for? When I do a back trace it goes through 17 hops and ends up at the IP address of 69.70.139.2 the name is modemcable002.139-70-69.mc.videotron.ca. The whois info is

Le Groupe Videotron Ltee VL-13BL (NET-69-70-0-0-1)
69.70.0.0 - 69.70.255.255
Videotron Ltee VL-D-MR-45468B00 (NET-69-70-139-0-1)
69.70.139.0 - 69.70.139.255

# ARIN WHOIS database, last updated 2004-06-02 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

What or who is scanning my ports? I am using Sygate Personal Firewall. While typing this I got an alert saying
Somebody is scanning your computer.
Your computer's TCP ports:
22, 21, 110, 25 and 1080 have been scanned from 207.33.111.35. This is the whois info for this one.

OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.verio.net:4321/

NetRange: 207.33.0.0 - 207.33.255.255
CIDR: 207.33.0.0/16
NetName: VRIO-207-033
NetHandle: NET-207-33-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2001-02-05
Updated: 2003-08-27

TechHandle: VIA4-ORG-ARIN
TechName: Verio, Inc.
TechPhone: +1-303-645-1900
TechEmail: [email protected]

OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: [email protected]

OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: [email protected]

OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2004-06-02 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


This one happend twice. Both of these started yesterday. Is this anything to worry about?

[poppy4]

What it tells me is that your firewall is working. .....and if the alerts bother you, I would think you could turn them off somewhere within the program.
I use ZoneAlarm, and can , and you may be able to, as well in Sygate.

[frebo]

your firewall is doing it job turn alerts off in sygate by going to options, under general check hide notification messages.

[CataclysmCow]

I'd like to preempt this message by saying you should follow the advice of the two previous posters. You firewall is working and that's all that really matters. Give yourself some piece of mind and turn off reporting for this type of traffic.


When analyzing un-requested traffic the best way to determine what it is is to look at the actual packets - often it will just be a TCP SYN, but many times there will be some type of indentifying mark in payload. Without the actual packets you can still make a pretty good guess of what the connection attempt was for. Here's a rundown on the ports you had "scanned".

From source #1 (69.70.139.2)
Looks like a specific exploit scan.

Port - 80
Scanning for a HTTP/Web server. A very heavily scanned port for exploits becuase a web server can lead to a whole shabang of exploits - from the server itself (IIS is famous here) to bruting html pword forms to exploiting CGI scripts.

Port - 1025
If your firewall reports a scan on this port and there are no other contacts from the same source then it's most likely the result of a SPI-ruleset timeout for a connection you made. When you establish a connection with a remote host your OS will assign what's called a random ephemeral (or "dynamic") port to account for your end of the connection. These assignments start at port 1024. When you make the connection a rule is entered into your firewalls ruleset that allows return traffic from that host. This rule is time-restricted - when it times out any traffic that may have been delayed will be seen as un-requested traffic from that host. If - in your case - other connection attempts are from the same host you can label it as a scan. In this case it could be many things - a few trojans use that port as well as network blackjack. Right now port 1025 is on the SANS institues top ten list for un-requested traffic.

port - 3127
Most likely from the MyDoom/Novarg worm.

port - 6129
This port is used by a remote administration service called DameWare. It's rare, but apparently the software is full of holes - commonly exploited.


From Source #2
This scan appears to be someone looking to brute out some UNIX shell accts. Each of these services below can be used to brute out the password for an acct - most often this is done on UNIX machines because typically the same user info is used for all services.

port - 21
FTP sessions are controlled and initiated on this port. The scan may have been looking for a specific exploit on a specific type of software or it may have just been looking for an insecure FTP server. Very common in port scans.

port - 22
This port is used by SSH servers. SecureSHell is essentially a better alternative to telnet (it's encrypted via SSL). Bruting SSH servers is pretty difficult, but many exploits exist in the various SSH servers out there.

port - 25
This scan was looking for a SMTP server. SMTP isn't really exploitable as far as getting a foot-hold onto the targeted comp, but insecure SMTP servers are valuable to spammers and spoofers.

port - 110
Used by the POP3 service.

port - 1080
Most commonly used by proxy services - also used by a trojan called WinHOLE.


=-=-=-=-=-=-=-=-=-=-=-=-=-
Both of these scans seem to be malicious. I wouldn't worry about them too much though - you most likely aren't running a vulnerable service (these were not OS vulnerability scans). This type of traffic is very common on the Internet. If they continue you can email the support service for their ISP. Don't bother with the "abuse" email address - those emails are often ignored.

[jayclark]

Thansk all, I knew the firewall was working good. I just wanted to exactly what those ports are used for. I used Zone Alarm for a while but I didn't like it to much for some reason.