[Dshield] Scans on port 3659?

Andre Costa brblueser at uol.com.br
Fri Nov 8 13:58:47 GMT 2002


Hi all,

I feel silly to reply to my own post, but TCP traffic to my port 3659
keeps coming (1584 times on the last 48h on Linux only -- if I add hits
while I've been on Win2k on the same machine, this would scale up). Is
this legitimate traffic? If not, is this a known exploit?

TIA,

Andre

On Thu, 7 Nov 2002 14:53:01 -0200
André Costa <brblueser at uol.com.br> wrote:

> Hi all,
> 
> I am new to this list and to firewall maintenance in general, so
> please bear with any stupid thing I might say ;) Also, if this is not
> the right place for such questions, please apologize and direct me
> somewhere else.
> 
> I have a dual boot machine here at home, with Win2k Pro and RH Linux
> 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate Personal
> Firewall on Win2k and iptables on Linux, both seem to be working fine.
> 
> For the last two days I've been blocking TCP scans on my port 3659
> like hell. These seem to come from different ports on the same
> machines as in:(taken from exported SPF logs)
> 
> [snip]
> 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> 200.168.1.105   3950    200.255.184.111 3659            3      
> 11/07/2002 13:32:05     11/07/2
> 002 13:32:14    Block_all
> 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> 200.168.1.105   3992    200.255.184.111 3659            3      
> 11/07/2002 13:32:48     11/07/2
> 002 13:32:57    Block_all
> 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> 200.168.1.105   4069    200.255.184.111 3659            3      
> 11/07/2002 13:36:18     11/07/2
> 002 13:36:27    Block_all
> 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> 200.168.1.105   4095    200.255.184.111 3659            3      
> 11/07/2002 13:36:54     11/07/2
> 002 13:37:03    Block_all
> 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> 200.168.1.105   4117    200.255.184.111 3659            3      
> 11/07/2002 13:37:17     11/07/2
> 002 13:37:26    Block_all
> 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> 200.168.1.105   4139    200.255.184.111 3659            3      
> 11/07/2002 13:37:37     11/07/2
> 002 13:37:46    Block_all
> [snip]
> 
> But it also comes from different sources as well (many times a day,
> sometimes a few minutes apart).
> 
> I tried Google for info on recent activity on this port, but found
> nothing. No luck here either:
> http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> 
> Anybody out there experiencing the same? Should I report it somewhere?
> 
> TIA,
> 
> Andre
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list


-- 
Andre Oliveira da Costa




More information about the list mailing list