November 2, 2009 at 1:13 am #4383
I recently installed Firestarter and noticed that from time to time I get flooded with port scans by numerous IP’s which port scan strange ports like 50726, 48653, 57884. These scans continue even after I reset the power which assigns me a new IP#. After about an hour or so these scans just stop.
I was just wondering why this occurs.
A whois on two IP’s brings up
November 2, 2009 at 2:02 am #27672
It’s difficult to say without looking at the logs, but it could be legit. Certain software may try to probe your computer in an attempt to find an open port to communicate. Then again, it could be something malicious. If you change your IP and it still occurs, it is likely that something from the inside is initiating the port scans.
November 2, 2009 at 10:46 pm #27673
Sorry if this is a double post +1 from yesterday but it didn’t appear to post.
Thank you for your reply Ketchup:
Is there anything you can recommend? I’m currently using Ubuntu 9.10 in which I upgraded to a whiles back, I did so much customizing I would hate to do it all again from a fresh install.
I don’t remember adding any software that would request any unknown connections, I went over to auditmypc and shieldsup and port scanned a few of these ports that have been scanned, all of which was reported as closed.
I also did a local nmap scan on a few other ports which was also reported closed, so I’m guessing it really isn’t posing a threat but still I would like to get to the bottom of it.
November 2, 2009 at 11:33 pm #27674
You can try running a packet sniffer, like Wireshark when these port scans are occurring. It could allow to see what’s happening.
Do you have any gaming software or hardware?
November 3, 2009 at 12:47 am #27675
I do have Wireshark installed but to be honest I really don’t know what I’m looking for below is a copy and paste of one item.
Info: Source port: 14304 Destination port: 50802
a whois brings up RCN Corporation which isn’t my provider.
I don’t have any gaming software installed at all, everyday I get port scanned on strange ports as I posted above but on occasion I get flooded where the event log provided by Firestarter just keeps scrowling.
Firestarter also has an Active Connection column where I can see that I have no unknown connections being showed. Another strange occurrence is many websites scan me on ports like 139,145 and a few other popular service ports but only on occasion.
Thank you for help.
November 3, 2009 at 1:01 am #27676
I would look for outbound communication from your computer when you are getting port scanned. I think that what you are experiencing is pretty common though, especially on Verizon. Other providers, like Comcast, block much of this stuff. I don’t think Verizon does. I think that as long as it’s not making it into your network, your firewall is working.
November 3, 2009 at 1:50 am #27677
Thank you for your help Ketchup, I’ll keep an eye open for outbound connections on Wireshark the next time I start to get flooded.
I actually have the Verizon modem set to accept all because I installed apache2 and use it to chat and transfer files with a few of my friends. Also I became alittle interested in Pentesting and Exploits.
I’ll probably will be coming here to Ethicalhacker.net from time to time to learn points of interest. I’m waiting for Backtrack4’s Final release but in the mean time I’ve been turning my Ubuntu version into a mini version of it.
I might even just decide to take the route I’ve been on and just continue with it. Thankyou once again for your help and time Ketchup.
November 3, 2009 at 1:56 am #27678
Switch101, I forgot to welcome you to EH.net. Welcome 🙂 Better late than never.
When I was talking about Comcast blocking malicious traffic, they actually do it within their network, before it even gets to your modem. Verizon does not do this. Do you have a firewall between your Verizon modem and your computers? If not, you can look into something like smoothwall or ipcop, both a Linux firewall distros.
November 3, 2009 at 3:03 am #27679
Nope there is no firewall between my modem and computer. As far as I know Firestarter is blocking all incomming traffic via IPtables unless I assign an allow policy.
I really don’t have a paranoia about being hacked being that I really don’t have any personal information being sent or stored. I just was curious to find out just why these scans where occurring and if it was possible to stop it.
For the most part I keep my services closed until a friend requests to use it. and vice-versa.
I do have a wireless card that I was trying to get running properly on the Ubuntu side with injection. I have Backtrack3 installed on a separate partition that works well but was looking to just format the drive for space.
Maybe just go with Backtrack4 since it’s Ubuntu based and start over from there. I’m not into breaking into anyone’s computers or stealing there bandwidth, except with the permission of friends who live close by.
My friends are a bunch of windows users, who don’t have as much interest in pentesting as I do because Linux is too user unfriendly for them, they want everything to be like Metasploit’s gui lol.
Thank you for the welcome
November 3, 2009 at 3:21 am #27680
Switch, it’s not always about personal information on your computer. It’s more likely that your computer would be taken over as an SSH proxy. To me, while firestarter is blocking connections, I prefer to be behind another layer of protection. Call that paranoia, well, it probably is 🙂
November 3, 2009 at 4:15 am #27681
I have so much to learn I never would of expected that, I figured big servers would have to worry about that, I’ve heard about some TOR network that is being used. Anyhow I did a quick Google search.
Opened a terminal and threw in a: ssh myName@myIP which resulted in port 22: Connection refused I really don’t even know at this time if that command is even correct.
I have to look further into it. But part of my reasoning was a quick way to allow services to pass through without having to go through a process.
Thankyou for all your help.
Goodnight Ketchup and to everyone else out there.
November 3, 2009 at 7:21 am #27682mambruParticipant
have you been running P2P software by the time you see the floods? I’ve experienced similar situations after using P2P, and sometimes those floods could manage to bring my connection down if I didn’t activate a firewall.
November 4, 2009 at 3:07 am #27683
I had used a P2P software (Transmission BitTorrent Client) for a few days but haven’t used it since. I did have to allow a policy on port 51413 in order to share but really didn’t notice these flood scans during that period.
I’m really glad that I don’t experience any noticeable connection slow down while these flood scans are tricking off my Firestarter application otherwise I would be more inclined to start with a fresh install of the now available Ubuntu 9.10.
I’m still in the learning process of Linux even though it was my primary operating system for a few years now. I completely gave up all Windows installations at this time having switched from Mandriva to Ubuntu because I didn’t like the new feel of Mandriva.
Are these floods still scanning you? I’m thinking i haven’t installed anything else that would request for a connection. I kind of struck it out as being unrelated, but now that you brought that to my attention, It may just be the very problem.
I haven’t started the Transmission Application until just today, it doesn’t appear to run at startup, is it possible that I’m still sharing at a quit now state?
November 4, 2009 at 9:16 am #27684mambruParticipant
It’s been a while since I experienced that, and back then I had a public IP. It was very weird, because the attempts of incoming connections could continue for as long as 3 or 4 days after I had stopped sharing files (even not running the P2P client at all), so the IP shouldn’t have been announced as a peer any more. I never found out what was going on, if you (or somebody else) come with an explanation, please share it.
November 5, 2009 at 12:43 am #27685
I second that.
thank you Ketchup and Mambru for your input.
November 9, 2009 at 3:11 pm #27686slimjim100Participant
As a side note some of the ports you listed where NetBIOS/MS ports and NetBIOS should never be routed over the internet as its supposed to be used on the local LAN only. I would recommend having a small home/Office firewall on you internet facing line to keep alot of un-needed scans and traffic hitting you PC. Just cause you do not have personal data on the PC its your responsibility as the PC’s owner to keep the device safe and prevent it from becoming a zombie or hosting illegal content. If you want to play and learn run Ethereal/Wireshark on the PC and review you logs. There are tons of places online and here on the forum to learn how to use Ethereal/Wireshark.
just my 2 cents add…
- You must be logged in to reply to this topic.