Solved

port scan from ee

Posted on 2004-08-12
20
361 Views
Last Modified: 2010-04-11
hi,

Every once in awhile I detect a port scan from Expert-Exchange.com.  Here is what my log says:

12:57:05 PM      Attack Detection Report      Port Scanning has been detected from www.experts-exchange.com (scanned ports:TCP (2907, 2906, 2905, 2904, 2901, 2899))

Anyone know why?  Just curious, not worried.

Thanks,
Trevor
0
Comment
Question by:trevorhartman
  • 6
  • 5
  • 4
  • +1
20 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11788808
first guess: sounds like a spoofed IP
Or why does your IDS write FQDN, which is totally unreliable at this point ;-)
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 11788837
what do IDS and FQDN stand for?  I know next to nothing about security :)  I just run agnitum outpost firewall pro
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11790015
Probably nothing but just in case these are the trojans known using those ports:

2899. REMOTE PWSTEAL
2901. REMOTE STORM
2902. REMOTE TWD
2903. REMOTE-ANY 4
2904. REMOTE-ANY 6
2905. REMOTE-ANY
2906. REMOTE11
2907. REMOTEAPH
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11790018
Sorry , hang on let me recheck those ports....
0
 
LVL 5

Assisted Solution

by:Hypoviax
Hypoviax earned 250 total points
ID: 11790029
According to http://www.obisam.com/ports.htm the following programs use those ports:

2899 POWERGEMPLUS
2901 ALLSTORCNS
2902 NET ASPI
2903 SUITCASE
2904 M2UA
2905 M3UA
2906 CALLER9
2907 WEBMETHODS B2B
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11791045
>  what do IDS and FQDN stand for?
 IDS - Intrusion Detection System
FQDN - full qulaified domain name

> I know next to nothing about security :)
and why are you wondering then about something? :-))

In my comment I mant that using FQDN in IDS or Firewall logs is a very bad idea, 'cause at there are to much things which might go wrong when resolving an IP (that's what the firewall and/or IDS realy gets) to a FQDN.
For example: wrong DNS setup, old cached DNS data, spoofed DNS, and many more ...
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 11794011
I'm wondering cause i wouldn't mind learning a few things plus you don't really need to know anything to realize that when someone is doing a port scan it's probably not a good thing, especially when my IDS is telling me about it... Anyway, so you think its actually another site trying to disguise itself as expert-exchange.com?

-Trevor
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11797927
You have a firewall, it picked it up and supposedly blocked it. If i was you should not worry since your firewall dropped the port scan attempt and therefore disallowed whoever performed the scan from seeing your computer. If the scan was external then you have nothing to worry about. However just as a precaution update your anti-virus software and do a scan.

If you really are concerned maybe e-mail your question to:

cs@experts-exchange.com

Regards,

Hypoviax
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 11798977
> .. you don't really need to know anything to realize that when someone is doing a port scan it's probably not a good thing
hmm, if you don't need to know, why are you asking then?
As said above: either you take your warnings serious, then you *need to know*, or you don't care about the quality, then the question is "why do you run an IDS", it's obvious.
trevorhartman, it's no offence or an attemt to exploit your ignorance. You "wouldn't mind learning" here we go :-)

Hypoviax, its an IDS log, not a firewall log, hence nothing has been protected, usually. I'd care ...
0
 
LVL 3

Accepted Solution

by:
cduke250 earned 250 total points
ID: 11805615
There are a few possibilities..

1. An ee computer was used to perform the scan.  

2. Someone hacked into ee and used the connection or a hacked computer to perform the scan.

3. An IP address registered to ee but not ee was used.

4. Someone spoofed ee to perform a common scan that hackers use today.

#4 is the most likely (so is #2) and is trivial to do.  Heres how!

+---------------------------------------------------------------------------------------------------------------------+
The program that does this the best (IMHO) is hping.  The author of hping program is  Salvatore Sanfilippo. He is a hacker from Agrigento, Italy.

When a machine is idle and you send syn packets to it the IP, Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active. By this I mean that the target machine will send to his computer a syn/ack. His machine will respond with an ack packet. This communication between the two will cause the IP Id numbers
to change from it's predictable sequence. Thus indicating to us that our spoofed machine has found an open port. All this is done without exposing ourselves to the target machine.


You can get detailed tutorials on how this happens and how you can do this on the hping home page.  If you can't find the documentation online, it is definatley included in the program.  Very very simple way of doing what you describe.

HPING HOME PAGE
http://www.hping.org/
+---------------------------------------------------------------------------------------------------------------------+
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 11812231
ahoffmann,
I don't appreciate your snide remarks.

>> .. you don't really need to know anything to realize that when someone is doing a port scan it's probably not a good thing
>hmm, if you don't need to know, why are you asking then?

Did I say that I didn't need to know why someone was doing a port scan?  No.  In saying "you don't really need to know anything to realize that when someone is doing a port scan it's probably not a good thing" I meant that I did not require any previously knowledge on security to realize that when my computer says someone did a port scan, that is not good.  Do you need to know why I'm asking anyway?  Can't I just ask for the purpose of asking?  I ask a question, give it a point value, someone answers, I give them the points.  Nowhere in that process does the person helping actually need to know WHY the person who asked the question asked it in the first place.  I run an IDS because it sounds like a good idea.  I don't know the specifics on it, or what I'll even do if something does happen.  When the port scan came up, it made me curious and I thought to myself, "why don't I ask the experts on EE?".  They are supposed to be "experts" afterall.  I didn't expect to get drilled on why I asking the question or how much I know about security.

Thanks everyone else for the responses

-Trevor
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11812996
> Can't I just ask for the purpose of asking?
yes, no problem with that. You're welcome.
But experts here (at least in the none-joke TAs like Security) like to give valuable answers, not just answers for gathering points. So I'm.

Security is the wrong place to be polluted with useless questions&answers, just for hand out points (who cares about them?), or gathering points, IMHO.
Experts reading here may correct me if I'm wong.
So far the off-topic chat, and again: there was no offence at at all, I just asked for the purpose of this question.

Back to the question, assuming you're serious about these IPs, then: what is your problem with the given suggestions so far?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 11813060
I am satisfied with the suggestions so far, but I think I should be able to ask any security related question I want in the security section.  I am not asking just to give points.  Like I said before I am just curious, and wanted to see what people who are knowledgable on this subject think about it.  This is the first post I've made in this section.  I don't just go around the different categories asking easy questions to give points to a bunch of people I've never talked to...

Thanks,
Trevor
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11816902
I agree totally with you Trevor. There is no need for sarcasm in these pages -  it should be kept professional.

Much of the posts probably tell you most of what you require as an answer but i actually think Experts Exchange should be notified about doing a port scan. I think they should check if they have indeed been 'hacked' or there is a site posing as itself or if they are unethically attempting a port scan in full knowledge. I'd ask them yourself at the e-mail address i posted earlier:

cs@experts-exchange.com

Regards

Hypoviax
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11827180
It is good to see EE reply personnally and address these types of issues. I place full confidence in the legitimacy of EE's claims.

Regards,

Hypoviax
0
 
LVL 3

Expert Comment

by:cduke250
ID: 11877419
Here is a simple, effective, methodology for dealing with port scans and other hack attempts.

1.  Download samspade www.samspade.org

2. Perform a whois query on the "hackers" address that is in the logs or alerts.  

3. Send an email to the listed contact from the whois query explaining what happened (don't reveal who you are, where, system specifics, etc..  and, you might want to use a newly created account at hotmail to send the email to avoid spam and other attacks)


_________
|Example:|
+------------------------------------------------------------------------------------------------------+

To: eeadmin@experts-exchange.com
From: anonymous123@hotmail.com

I thought you should know that on 8/12/04 at 4:30pm someone from IP address 123.123.123.123 performed a port-scan on my personal computer.  

The IP address belongs to experts-exchange and I hope you will investigate and prevent this from happening in the future.

+------------------------------------------------------------------------------------------------------+


Of course, when dealing with experts-exchange or other legitimate business or organizations, it is nice to use your real email and name.

0
 
LVL 8

Author Comment

by:trevorhartman
ID: 11883471
Thank you for all your comments everyone, and thank you cduke250 for the methodlogy on how to deal with something like this.  Very helpful.

Regards,
Trevor
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now