[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

strange port 9700 scan?

Posted on 2006-07-10
11
Medium Priority
?
326 Views
Last Modified: 2008-02-01
Hello,

I just installed a firewall and it is logging strange traffic.  Please see part of my log file below.  I don't even know where 192.168.1.223 is comming from.  Our network is a 192.168.254.0 network.  This is constantly being logged and the source port increase by one every time.  about every second a new entry is logged.  What could be causing this and how to I pin point the source?



                                                                                                  size                                                                                source port   dest port
7/10/2006 11:53:31.821      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3883      9700      TTL: 128; TOS:  0; ID: 0EEA      
7/10/2006 11:53:33.824      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3884      9700      TTL: 128; TOS:  0; ID: 0FEA      
7/10/2006 11:53:35.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3885      9700      TTL: 128; TOS:  0; ID: 10EA      
7/10/2006 11:53:43.832      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3889      9700      TTL: 128; TOS:  0; ID: 18EA      
7/10/2006 11:53:45.833      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3890      9700      TTL: 128; TOS:  0; ID: 19EA      
7/10/2006 11:53:49.835      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3892      9700      TTL: 128; TOS:  0; ID: 1BEA      
7/10/2006 11:53:51.836      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3893      9700      TTL: 128; TOS:  0; ID: 1EEA      
7/10/2006 11:53:53.837      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3894      9700      TTL: 128; TOS:  0; ID: 1FEA      
7/10/2006 11:53:55.838      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3895      9700      TTL: 128; TOS:  0; ID: 20EA      
7/10/2006 11:53:59.840      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3897      9700      TTL: 128; TOS:  0; ID: 22EA      
7/10/2006 11:54:01.841      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3898      9700      TTL: 128; TOS:  0; ID: 23EA      
7/10/2006 11:54:03.842      reject      Block All not Processed IP Packets      70      UDP      incoming packet      192.168.1.223      255.255.255.255      3899      9700      TTL: 128; TOS:  0; ID: 24EA      
0
Comment
Question by:Kurt4949
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074067
This firewall is installed on my windows xp machine.  I installed it because I noticed the same thing being blocked in my hardware firewall.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074134
From which firewall did you get those log ? What is your network subnet mask ?

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074224
our subnet mask is 255.255.255.0

I got the log from Jetico Personal Firewall.  I installed it because i noticed same log in watchguard hardware firewall.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074235
Did you try pinging that ip address ? Try it and see if you get any reply.

I'm guessing somebody's machine is configured with dual addresses and it is infected too.

Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074271
Actually it doesn't seem to be in the actual log file of the watch guard but when I open watchguard host watch program it shows up there and is being blocked there also.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074279
No i can not ping the address
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 17074458
You could try to do a arp -a to get the MAC address of the machine.  Then, if you have a managed switch, you should be able to see which port is associated with that MAC and thus be able to track down the machine that's sending the port scan.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17074523
hm good idea but we don't have any managed switches.  I tried arp -a but it is not listed
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 2000 total points
ID: 17074680
It's a UDP broadcast so all machines on your networks are probably receiving it.   So what you could try is running Ethereal (it's called wireshark now) and capturing the data.

In the Ethernet information about the packet you'll see the source MAC address.  Even if the port scanner is spoofing its IP it still needs to use the MAC of the machine through which it's sending its data.

Now we'll have to see if that MAC belongs to a machine on your subnet... we can do that by pinging all of the machines to popular the ARP table (before we do that do an arp -a to see if that arp from Ethereal/Wireshark is already there).

You can do that by doing this from a command prompt:

FOR /L %x in (1,1,254) DO ping -n 1 -w 100 192.168.254.%x

If, after doing an arp -a you still don't see a MAC that matches the one from the packet capture, it means that it's a machine that not on your subnet...  like someone's home laptop or something.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 17075014
Wow, thanks your answer worked perfectly.  I used wireshark to find the mac address.  Then ran the ping command you posted and found the machine.

Our software department wrote a clever program to scan for certain systems.  It was not meant to be used on an open network.  I informed the person, they did not realize it was still running and they disabled it.

Thanks
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 17075138
No problem.  I'm glad to help.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question