zephyr_hex (Megan)
asked on
Port Scans
i keep seeing an alert in my firewall logs for a possible port scan being dropped
the scan is always initiated from 64.156.132.140, 80 WAN on TCP ports: 3876, 3877, 3878, 3880, 3881 or some combination of those ports.
i looked up the ports
dl_agent 3876 DirectoryLockdown Agent
xmpcr-interface 3877 XMPCR Interface Port
fotogcad 3878 FotoG CAD interface
appss-lm 3879 appss license manager
microgrid 3880 microgrid
idac 3881 Data Acquisition and Control
what is this and how to i stop it?
the scan is always initiated from 64.156.132.140, 80 WAN on TCP ports: 3876, 3877, 3878, 3880, 3881 or some combination of those ports.
i looked up the ports
dl_agent 3876 DirectoryLockdown Agent
xmpcr-interface 3877 XMPCR Interface Port
fotogcad 3878 FotoG CAD interface
appss-lm 3879 appss license manager
microgrid 3880 microgrid
idac 3881 Data Acquisition and Control
what is this and how to i stop it?
You'll laugh to know whose this IP address is:
64.156.132.140 247ms 259ms 261ms TTL: 53 (www-level3.experts-exchan ge.com ok)
If you enter www-level3.experts-exchang e.com into your browser you'll get here :)
I'm sure I once stumbled upon discussion on this site about this issue exactly - someone reported
that she's being scanned by https://www.experts-exchange.com, the conclusion was whatever it may be there's
no logical reason for https://www.experts-exchange.com to do it. E.g. in nmap you have option to enter 'decoy'
IP addresses so they will be used in scans, and not the real IP of the sender. If return IP was
spoofed , there's no way to track the real scanner unless you have access to all intermediate
points of transfer (i.e. routers). Only big guns like FBI, NSA, AFOSI can get such access.
IF you do block access, you'll cut off access to expert-exchange :)
Conclusion - forget about it.
Or, if you are real keen on digging the truth, you can install network sniffer (Ethereal is free and the best, for Windows laso Winpcap capturing library should be installed) and capture all the traffic
for correlation and investigation. It's a lot of work and success is not guaranteed.
Of course port assignments (those higher than 1024) are superficial.
64.156.132.140 247ms 259ms 261ms TTL: 53 (www-level3.experts-exchan
If you enter www-level3.experts-exchang
I'm sure I once stumbled upon discussion on this site about this issue exactly - someone reported
that she's being scanned by https://www.experts-exchange.com, the conclusion was whatever it may be there's
no logical reason for https://www.experts-exchange.com to do it. E.g. in nmap you have option to enter 'decoy'
IP addresses so they will be used in scans, and not the real IP of the sender. If return IP was
spoofed , there's no way to track the real scanner unless you have access to all intermediate
points of transfer (i.e. routers). Only big guns like FBI, NSA, AFOSI can get such access.
IF you do block access, you'll cut off access to expert-exchange :)
Conclusion - forget about it.
Or, if you are real keen on digging the truth, you can install network sniffer (Ethereal is free and the best, for Windows laso Winpcap capturing library should be installed) and capture all the traffic
for correlation and investigation. It's a lot of work and success is not guaranteed.
Of course port assignments (those higher than 1024) are superficial.
As Yurisk states, that IP address is one of ours.....
:((
:((
ASKER
ha... well... so much for trying to block the IP ;)
is this scanning any kind of indicator that one of my client computers has spyware on it?
do i need to be concerned about the scanning (should i spend the time and effort to hunt it down)?
i checked one of our other locations...and they have something similar going on (not with an EE IP, but with a different source IP : 67.29.176.254 )
i tried a lookup on that IP and got nothing, but if it's anything like the scan on the ports of the firewall i have here at my location, it is spoofed.
is this scanning any kind of indicator that one of my client computers has spyware on it?
do i need to be concerned about the scanning (should i spend the time and effort to hunt it down)?
i checked one of our other locations...and they have something similar going on (not with an EE IP, but with a different source IP : 67.29.176.254 )
i tried a lookup on that IP and got nothing, but if it's anything like the scan on the ports of the firewall i have here at my location, it is spoofed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> .. the scan on the ports of the firewall i have here at my location, it is spoofed.
do you mean that you make thes observations at your firewall? Does this also mean that your firwall cannot detect spoofed IPs? Then I'd first get rid of that so-called firewall ;-)
do you mean that you make thes observations at your firewall? Does this also mean that your firwall cannot detect spoofed IPs? Then I'd first get rid of that so-called firewall ;-)
you cannot stop it (except you have access to the mashine with that IP)
simply block all access from that IP in your firewall