Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

strange port 9700 scan?

Posted on 2006-07-10
11
295 Views
Last Modified: 2008-02-01
Hello,

I just installed a firewall and it is logging strange traffic.  Please see part of my log file below.  I don't even know where 192.168.1.223 is comming from.  Our network is a 192.168.254.0 network.  This is constantly being logged and the source port increase by one every time.  about every second a new entry is logged.  What could be causing this and how to I pin point the source?



                                                                                                  size                                                                                source port   dest port
7/10/2006 11:53:31.821      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3883      9700      TTL: 128; TOS:  0; ID: 0EEA      
7/10/2006 11:53:33.824      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3884      9700      TTL: 128; TOS:  0; ID: 0FEA      
7/10/2006 11:53:35.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3885      9700      TTL: 128; TOS:  0; ID: 10EA      
7/10/2006 11:53:43.832      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3889      9700      TTL: 128; TOS:  0; ID: 18EA      
7/10/2006 11:53:45.833      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3890      9700      TTL: 128; TOS:  0; ID: 19EA      
7/10/2006 11:53:49.835      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3892      9700      TTL: 128; TOS:  0; ID: 1BEA      
7/10/2006 11:53:51.836      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3893      9700      TTL: 128; TOS:  0; ID: 1EEA      
7/10/2006 11:53:53.837      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3894      9700      TTL: 128; TOS:  0; ID: 1FEA      
7/10/2006 11:53:55.838      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3895      9700      TTL: 128; TOS:  0; ID: 20EA      
7/10/2006 11:53:59.840      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3897      9700      TTL: 128; TOS:  0; ID: 22EA      
7/10/2006 11:54:01.841      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3898      9700      TTL: 128; TOS:  0; ID: 23EA      
7/10/2006 11:54:03.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3899      9700      TTL: 128; TOS:  0; ID: 24EA      
0
Comment
Question by:Kurt4949
  • 6
  • 3
  • 2
11 Comments
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074067
This firewall is installed on my windows xp machine.  I installed it because I noticed the same thing being blocked in my hardware firewall.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074134
From which firewall did you get those log ? What is your network subnet mask ?

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074224
our subnet mask is 255.255.255.0

I got the log from Jetico Personal Firewall.  I installed it because i noticed same log in watchguard hardware firewall.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074235
Did you try pinging that ip address ? Try it and see if you get any reply.

I'm guessing somebody's machine is configured with dual addresses and it is infected too.

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074271
Actually it doesn't seem to be in the actual log file of the watch guard but when I open watchguard host watch program it shows up there and is being blocked there also.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074279
No i can not ping the address
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 17074458
You could try to do a arp -a to get the MAC address of the machine.  Then, if you have a managed switch, you should be able to see which port is associated with that MAC and thus be able to track down the machine that's sending the port scan.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074523
hm good idea but we don't have any managed switches.  I tried arp -a but it is not listed
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 500 total points
ID: 17074680
It's a UDP broadcast so all machines on your networks are probably receiving it.   So what you could try is running Ethereal (it's called wireshark now) and capturing the data.

In the Ethernet information about the packet you'll see the source MAC address.  Even if the port scanner is spoofing its IP it still needs to use the MAC of the machine through which it's sending its data.

Now we'll have to see if that MAC belongs to a machine on your subnet... we can do that by pinging all of the machines to popular the ARP table (before we do that do an arp -a to see if that arp from Ethereal/Wireshark is already there).

You can do that by doing this from a command prompt:

FOR /L %x in (1,1,254) DO ping -n 1 -w 100 192.168.254.%x

If, after doing an arp -a you still don't see a MAC that matches the one from the packet capture, it means that it's a machine that not on your subnet...  like someone's home laptop or something.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17075014
Wow, thanks your answer worked perfectly.  I used wireshark to find the mac address.  Then ran the ping command you posted and found the machine.

Our software department wrote a clever program to scan for certain systems.  It was not meant to be used on an open network.  I informed the person, they did not realize it was still running and they disabled it.

Thanks
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 17075138
No problem.  I'm glad to help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question