• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 712
  • Last Modified:

Port Scans

i keep seeing an alert in my firewall logs for a possible port scan being dropped
the scan is always initiated from, 80 WAN on TCP ports: 3876, 3877, 3878, 3880, 3881 or some combination of those ports.
i looked up the ports
dl_agent      3876      DirectoryLockdown Agent
xmpcr-interface      3877      XMPCR Interface Port
fotogcad      3878      FotoG CAD interface
appss-lm      3879      appss license manager
microgrid      3880      microgrid
idac      3881      Data Acquisition and Control

what is this and how to i stop it?
zephyr_hex (Megan)
zephyr_hex (Megan)
1 Solution
> what is this and how to i stop it?
you cannot stop it (except you have access to the mashine with that IP)
simply block all access from that IP in your firewall
You'll laugh to know whose this IP address is:  247ms  259ms  261ms  TTL: 53  (www-level3.experts-exchange.com ok)

If you enter www-level3.experts-exchange.com into your browser you'll get here :)
I'm sure I once stumbled upon discussion on this site about this issue exactly - someone reported
that she's being scanned by www.e-e.com, the conclusion was whatever it may be there's
 no logical reason for www.e-e.com to do it. E.g. in nmap you have option to enter 'decoy'
IP addresses so they will be used in scans, and not the real IP of the sender. If return IP was
spoofed , there's no way to track the real scanner unless you have access to all intermediate
points of transfer (i.e. routers). Only big guns like FBI, NSA, AFOSI can get such access.

IF you do block access, you'll cut off access to expert-exchange :)
Conclusion - forget about it.

Or, if you are real keen on digging the truth, you can install network sniffer (Ethereal is free and the best, for Windows laso Winpcap capturing library should be installed) and capture all the traffic
for correlation and investigation. It's a lot of work and success is not guaranteed.

Of course port assignments (those higher than 1024) are superficial.
Keith AlabasterEnterprise ArchitectCommented:
As Yurisk states, that IP address is one of ours.....

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

zephyr_hex (Megan)DeveloperAuthor Commented:
ha... well... so much for trying to block the IP ;)

is this scanning any kind of indicator that one of my client computers has spyware on it?
do i need to be concerned about the scanning (should i spend the time and effort to hunt it down)?

i checked one of our other locations...and they have something similar going on (not with an EE IP, but with a different source IP : )
i tried a lookup on that IP and got nothing, but if it's anything like the scan on the ports of the firewall i have here at my location, it is spoofed.
is this scanning any kind of indicator ..?  No, it's not. If it were OUTgoing connections from the
machine in question then it would be yes.

do i need to be concerned about the scanning ?  in 90% of  cases in general not. Not at all regarding these particular scans.  is not a machine,but network appliance (most probably border router)
> .. the scan on the ports of the firewall i have here at my location, it is spoofed.
do you mean that you make thes observations at your firewall? Does this also mean that your firwall cannot detect spoofed IPs? Then I'd first get rid of that so-called firewall ;-)

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now