.

Sometimes flooded with port scans

<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Sun Nov 01, 2009 8:13 pm

Sometimes flooded with port scans

I recently installed Firestarter  and noticed that from time to time I get flooded with port scans by numerous IP's which port scan strange ports like  50726, 48653, 57884. These scans continue even after I reset the power which assigns  me a new IP#. After about an hour or so these scans just stop.

I was just wondering why this occurs.

A whois on two IP's brings up

Microsoft Corp
IPHostingGame-NET

thankyou.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Nov 01, 2009 9:02 pm

Re: Sometimes flooded with port scans

It's difficult to say without looking at the logs, but it could be legit.  Certain software may try to probe your computer in an attempt to find an open port to communicate.  Then again, it could be something malicious.  If you change your IP and it still occurs, it is likely that something from the inside is initiating the port scans.
~~~~~~~~~~~~~~
Ketchup
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Mon Nov 02, 2009 5:46 pm

Re: Sometimes flooded with port scans

Sorry if this is a double post +1 from yesterday but it didn't appear to post.

Thank you for your reply Ketchup:

Is there anything you can recommend? I'm currently using Ubuntu 9.10 in which I upgraded to a whiles back, I did so much customizing I would hate to do it all again from a fresh install.

I don't remember adding any software that would request any unknown connections, I went over to auditmypc and shieldsup and port scanned a few of these ports that have been scanned, all of which was reported as closed.

I also did a local nmap scan on a few other ports which was also reported closed, so I'm guessing it really isn't posing a threat but still I would like to get to the bottom of it.

Thank you.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Nov 02, 2009 6:33 pm

Re: Sometimes flooded with port scans

You can try running a packet sniffer, like Wireshark when these port scans are occurring.  It could allow to see what's happening. 

Do you have any gaming software or hardware? 
~~~~~~~~~~~~~~
Ketchup
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Mon Nov 02, 2009 7:47 pm

Re: Sometimes flooded with port scans

I do have Wireshark installed but to be honest I really don't know what I'm looking for below is a copy and paste of one item.

No: 49
Time: 55.103978
Source: 208.58.35.39
Destination: 71.246.123.131
Protocol: UDP
Info: Source port: 14304  Destination port: 50802

a whois brings up RCN Corporation which isn't my provider.

I don't have any gaming software installed at all, everyday I get port scanned on strange ports as I posted above but on occasion I get flooded where the event log provided by Firestarter just keeps scrowling.

Firestarter also has an Active Connection column where I can see that I have no unknown connections being showed. Another strange occurrence is many websites scan me on ports like 139,145  and a few other popular service ports but only on occasion.

Thank you for help.







 
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Nov 02, 2009 8:01 pm

Re: Sometimes flooded with port scans

I would look for outbound communication from your computer when you are getting port scanned.  I think that what you are experiencing is pretty common though, especially on Verizon.  Other providers, like Comcast, block much of this stuff.  I don't think Verizon does.  I think that as long as it's not making it into your network, your firewall is working. 
~~~~~~~~~~~~~~
Ketchup
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Mon Nov 02, 2009 8:50 pm

Re: Sometimes flooded with port scans

Thank you for your help Ketchup, I'll keep an eye open for outbound connections on Wireshark the next time I start to get flooded.

I actually have the Verizon modem set to accept all because I installed apache2 and use it to chat and transfer files with a few of my friends. Also I became alittle interested in Pentesting  and Exploits.

I'll probably will be coming here to Ethicalhacker.net from time to time to learn points of interest. I'm waiting for Backtrack4's Final release but in the mean time I've been turning my Ubuntu version into a mini version of it.

I might even just decide to take the route I've been on and just continue with it. Thankyou once again for your help and time Ketchup.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Nov 02, 2009 8:56 pm

Re: Sometimes flooded with port scans

Switch101, I forgot to welcome you to EH.net.  Welcome :)  Better late than never.

When I was talking about Comcast blocking malicious traffic, they actually do it within their network, before it even gets to your modem.  Verizon does not do this.  Do you have a firewall between your Verizon modem and your computers?  If not, you can look into something like smoothwall or ipcop, both a Linux firewall distros. 
~~~~~~~~~~~~~~
Ketchup
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Mon Nov 02, 2009 10:03 pm

Re: Sometimes flooded with port scans

Nope there is no firewall between my modem and computer. As far as I know Firestarter is blocking all incomming traffic via IPtables unless I assign an allow policy.

I really don't have a paranoia about being hacked being that I really don't have any personal information being sent or stored. I just was curious to find out just why these scans where occurring and if it was possible to stop it.

For the most part I keep my services closed until a friend requests to use it. and vice-versa.

I do have a wireless card that I was trying to get running properly on the Ubuntu side with injection. I have Backtrack3 installed on a separate partition that  works well but was looking to just format the drive for space.

Maybe just go with Backtrack4 since it's Ubuntu based and start over from there. I'm not into breaking into anyone's computers or stealing there bandwidth, except with the permission of friends who live close by.

My friends are a bunch of windows users, who don't have as much interest in pentesting  as I do because Linux is too user unfriendly for them, they want everything to be like Metasploit's gui lol.

Thank you for the welcome

:)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Nov 02, 2009 10:21 pm

Re: Sometimes flooded with port scans

Switch, it's not always about personal information on your computer.  It's more likely that your computer would be taken over as an SSH proxy.  To me, while firestarter is blocking connections, I prefer to be behind another layer of protection.  Call that paranoia, well, it probably is :)
~~~~~~~~~~~~~~
Ketchup
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Mon Nov 02, 2009 11:15 pm

Re: Sometimes flooded with port scans

I have so much to learn I never would of expected that, I figured big servers would have to worry about that, I've heard about some TOR network that is being used. Anyhow I did a quick Google search.

Opened a terminal and threw in a:  ssh myName@myIP  which resulted in port 22: Connection refused I really don't even know at this time if that command is even correct.

I have to look further into it. But part of my reasoning was a quick way to allow services to pass through without having to go through a process.

Thankyou for all your help.

Goodnight Ketchup and to everyone else out there.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Tue Nov 03, 2009 2:21 am

Re: Sometimes flooded with port scans

Hi switch,

have you been running P2P software by the time you see the floods? I've experienced similar situations after using P2P, and sometimes those floods could manage to bring my connection down if I didn't activate a firewall.
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Tue Nov 03, 2009 10:07 pm

Re: Sometimes flooded with port scans

Hi Mambru:

I had used a P2P software (Transmission BitTorrent Client) for a few days but haven't used it since. I did have to allow a policy on port 51413 in order to share but really didn't notice these flood scans during that period.

I'm really glad that I don't experience any noticeable connection slow down while these flood scans are tricking off my Firestarter application otherwise I would be more inclined to start with a fresh install of the now available Ubuntu 9.10.

I'm still in the learning process of Linux even though it was my primary operating system for a few years now.  I completely gave up all Windows installations at this time having switched from Mandriva to Ubuntu because I didn't like the new feel of Mandriva.

Are these floods still scanning you? I'm thinking i haven't installed anything else that would request for a connection. I kind of struck it out as being unrelated, but now that you brought that to my attention, It may just be the very problem.

I haven't started the Transmission Application until just today, it doesn't appear to run at startup, is it possible that I'm still sharing at a quit now state?

Thankyou.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Nov 04, 2009 4:16 am

Re: Sometimes flooded with port scans

It's been a while since I experienced that, and back then I had a public IP. It was very weird, because the attempts of incoming connections could continue for as long as 3 or 4 days after I had stopped sharing files (even not running the P2P client at all), so the IP shouldn't have been announced as a peer any more. I never found out what was going on, if you (or somebody else) come with an explanation, please share it.
<<

Switch101

Newbie
Newbie

Posts: 16

Joined: Sun Nov 01, 2009 7:40 pm

Post Wed Nov 04, 2009 7:43 pm

Re: Sometimes flooded with port scans

I second that.

:)

thank you Ketchup and Mambru for your input.
Next

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software