Solved

strange port 9700 scan?

Posted on 2006-07-10
11
279 Views
Last Modified: 2008-02-01
Hello,

I just installed a firewall and it is logging strange traffic.  Please see part of my log file below.  I don't even know where 192.168.1.223 is comming from.  Our network is a 192.168.254.0 network.  This is constantly being logged and the source port increase by one every time.  about every second a new entry is logged.  What could be causing this and how to I pin point the source?



                                                                                                  size                                                                                source port   dest port
7/10/2006 11:53:31.821      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3883      9700      TTL: 128; TOS:  0; ID: 0EEA      
7/10/2006 11:53:33.824      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3884      9700      TTL: 128; TOS:  0; ID: 0FEA      
7/10/2006 11:53:35.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3885      9700      TTL: 128; TOS:  0; ID: 10EA      
7/10/2006 11:53:43.832      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3889      9700      TTL: 128; TOS:  0; ID: 18EA      
7/10/2006 11:53:45.833      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3890      9700      TTL: 128; TOS:  0; ID: 19EA      
7/10/2006 11:53:49.835      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3892      9700      TTL: 128; TOS:  0; ID: 1BEA      
7/10/2006 11:53:51.836      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3893      9700      TTL: 128; TOS:  0; ID: 1EEA      
7/10/2006 11:53:53.837      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3894      9700      TTL: 128; TOS:  0; ID: 1FEA      
7/10/2006 11:53:55.838      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3895      9700      TTL: 128; TOS:  0; ID: 20EA      
7/10/2006 11:53:59.840      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3897      9700      TTL: 128; TOS:  0; ID: 22EA      
7/10/2006 11:54:01.841      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3898      9700      TTL: 128; TOS:  0; ID: 23EA      
7/10/2006 11:54:03.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3899      9700      TTL: 128; TOS:  0; ID: 24EA      
0
Comment
Question by:Kurt4949
  • 6
  • 3
  • 2
11 Comments
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
This firewall is installed on my windows xp machine.  I installed it because I noticed the same thing being blocked in my hardware firewall.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
From which firewall did you get those log ? What is your network subnet mask ?

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
our subnet mask is 255.255.255.0

I got the log from Jetico Personal Firewall.  I installed it because i noticed same log in watchguard hardware firewall.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Did you try pinging that ip address ? Try it and see if you get any reply.

I'm guessing somebody's machine is configured with dual addresses and it is infected too.

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
Actually it doesn't seem to be in the actual log file of the watch guard but when I open watchguard host watch program it shows up there and is being blocked there also.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
No i can not ping the address
0
 
LVL 9

Expert Comment

by:jjoseph_x
Comment Utility
You could try to do a arp -a to get the MAC address of the machine.  Then, if you have a managed switch, you should be able to see which port is associated with that MAC and thus be able to track down the machine that's sending the port scan.
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
hm good idea but we don't have any managed switches.  I tried arp -a but it is not listed
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 500 total points
Comment Utility
It's a UDP broadcast so all machines on your networks are probably receiving it.   So what you could try is running Ethereal (it's called wireshark now) and capturing the data.

In the Ethernet information about the packet you'll see the source MAC address.  Even if the port scanner is spoofing its IP it still needs to use the MAC of the machine through which it's sending its data.

Now we'll have to see if that MAC belongs to a machine on your subnet... we can do that by pinging all of the machines to popular the ARP table (before we do that do an arp -a to see if that arp from Ethereal/Wireshark is already there).

You can do that by doing this from a command prompt:

FOR /L %x in (1,1,254) DO ping -n 1 -w 100 192.168.254.%x

If, after doing an arp -a you still don't see a MAC that matches the one from the packet capture, it means that it's a machine that not on your subnet...  like someone's home laptop or something.
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
Wow, thanks your answer worked perfectly.  I used wireshark to find the mac address.  Then ran the ping command you posted and found the machine.

Our software department wrote a clever program to scan for certain systems.  It was not meant to be used on an open network.  I informed the person, they did not realize it was still running and they disabled it.

Thanks
0
 
LVL 9

Expert Comment

by:jjoseph_x
Comment Utility
No problem.  I'm glad to help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now