• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 338
  • Last Modified:

strange port 9700 scan?

Hello,

I just installed a firewall and it is logging strange traffic.  Please see part of my log file below.  I don't even know where 192.168.1.223 is comming from.  Our network is a 192.168.254.0 network.  This is constantly being logged and the source port increase by one every time.  about every second a new entry is logged.  What could be causing this and how to I pin point the source?



                                                                                                  size                                                                                source port   dest port
7/10/2006 11:53:31.821      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3883      9700      TTL: 128; TOS:  0; ID: 0EEA      
7/10/2006 11:53:33.824      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3884      9700      TTL: 128; TOS:  0; ID: 0FEA      
7/10/2006 11:53:35.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3885      9700      TTL: 128; TOS:  0; ID: 10EA      
7/10/2006 11:53:43.832      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3889      9700      TTL: 128; TOS:  0; ID: 18EA      
7/10/2006 11:53:45.833      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3890      9700      TTL: 128; TOS:  0; ID: 19EA      
7/10/2006 11:53:49.835      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3892      9700      TTL: 128; TOS:  0; ID: 1BEA      
7/10/2006 11:53:51.836      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3893      9700      TTL: 128; TOS:  0; ID: 1EEA      
7/10/2006 11:53:53.837      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3894      9700      TTL: 128; TOS:  0; ID: 1FEA      
7/10/2006 11:53:55.838      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3895      9700      TTL: 128; TOS:  0; ID: 20EA      
7/10/2006 11:53:59.840      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3897      9700      TTL: 128; TOS:  0; ID: 22EA      
7/10/2006 11:54:01.841      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3898      9700      TTL: 128; TOS:  0; ID: 23EA      
7/10/2006 11:54:03.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3899      9700      TTL: 128; TOS:  0; ID: 24EA      
0
Kurt4949
Asked:
Kurt4949
  • 6
  • 3
  • 2
1 Solution
 
Kurt4949Author Commented:
This firewall is installed on my windows xp machine.  I installed it because I noticed the same thing being blocked in my hardware firewall.
0
 
rsivanandanCommented:
From which firewall did you get those log ? What is your network subnet mask ?

Cheers,
Rajesh
0
 
Kurt4949Author Commented:
our subnet mask is 255.255.255.0

I got the log from Jetico Personal Firewall.  I installed it because i noticed same log in watchguard hardware firewall.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
rsivanandanCommented:
Did you try pinging that ip address ? Try it and see if you get any reply.

I'm guessing somebody's machine is configured with dual addresses and it is infected too.

Cheers,
Rajesh
0
 
Kurt4949Author Commented:
Actually it doesn't seem to be in the actual log file of the watch guard but when I open watchguard host watch program it shows up there and is being blocked there also.
0
 
Kurt4949Author Commented:
No i can not ping the address
0
 
jjoseph_xCommented:
You could try to do a arp -a to get the MAC address of the machine.  Then, if you have a managed switch, you should be able to see which port is associated with that MAC and thus be able to track down the machine that's sending the port scan.
0
 
Kurt4949Author Commented:
hm good idea but we don't have any managed switches.  I tried arp -a but it is not listed
0
 
jjoseph_xCommented:
It's a UDP broadcast so all machines on your networks are probably receiving it.   So what you could try is running Ethereal (it's called wireshark now) and capturing the data.

In the Ethernet information about the packet you'll see the source MAC address.  Even if the port scanner is spoofing its IP it still needs to use the MAC of the machine through which it's sending its data.

Now we'll have to see if that MAC belongs to a machine on your subnet... we can do that by pinging all of the machines to popular the ARP table (before we do that do an arp -a to see if that arp from Ethereal/Wireshark is already there).

You can do that by doing this from a command prompt:

FOR /L %x in (1,1,254) DO ping -n 1 -w 100 192.168.254.%x

If, after doing an arp -a you still don't see a MAC that matches the one from the packet capture, it means that it's a machine that not on your subnet...  like someone's home laptop or something.
0
 
Kurt4949Author Commented:
Wow, thanks your answer worked perfectly.  I used wireshark to find the mac address.  Then ran the ping command you posted and found the machine.

Our software department wrote a clever program to scan for certain systems.  It was not meant to be used on an open network.  I informed the person, they did not realize it was still running and they disabled it.

Thanks
0
 
jjoseph_xCommented:
No problem.  I'm glad to help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now