[Dshield] Scans on port 3659?

Tom Liston tliston at premmag.com
Fri Nov 8 17:40:56 GMT 2002


I looked yesterday, and I can't find anything that uses port 3659.

Sorry... I haven't a clue what this could be.

-TL

On 8 Nov 2002 at 11:58, Andre Costa wrote:

> Hi all,
> 
> I feel silly to reply to my own post, but TCP traffic to my port 3659
> keeps coming (1584 times on the last 48h on Linux only -- if I add hits
> while I've been on Win2k on the same machine, this would scale up). Is
> this legitimate traffic? If not, is this a known exploit?
> 
> TIA,
> 
> Andre
> 
> On Thu, 7 Nov 2002 14:53:01 -0200
> André Costa <brblueser at uol.com.br> wrote:
> 
> > Hi all,
> > 
> > I am new to this list and to firewall maintenance in general, so
> > please bear with any stupid thing I might say ;) Also, if this is not
> > the right place for such questions, please apologize and direct me
> > somewhere else.
> > 
> > I have a dual boot machine here at home, with Win2k Pro and RH Linux
> > 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate Personal
> > Firewall on Win2k and iptables on Linux, both seem to be working fine.
> > 
> > For the last two days I've been blocking TCP scans on my port 3659
> > like hell. These seem to come from different ports on the same
> > machines as in:(taken from exported SPF logs)
> > 
> > [snip]
> > 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> > 200.168.1.105   3950    200.255.184.111 3659            3      
> > 11/07/2002 13:32:05     11/07/2
> > 002 13:32:14    Block_all
> > 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> > 200.168.1.105   3992    200.255.184.111 3659            3      
> > 11/07/2002 13:32:48     11/07/2
> > 002 13:32:57    Block_all
> > 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> > 200.168.1.105   4069    200.255.184.111 3659            3      
> > 11/07/2002 13:36:18     11/07/2
> > 002 13:36:27    Block_all
> > 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> > 200.168.1.105   4095    200.255.184.111 3659            3      
> > 11/07/2002 13:36:54     11/07/2
> > 002 13:37:03    Block_all
> > 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> > 200.168.1.105   4117    200.255.184.111 3659            3      
> > 11/07/2002 13:37:17     11/07/2
> > 002 13:37:26    Block_all
> > 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> > 200.168.1.105   4139    200.255.184.111 3659            3      
> > 11/07/2002 13:37:37     11/07/2
> > 002 13:37:46    Block_all
> > [snip]
> > 
> > But it also comes from different sources as well (many times a day,
> > sometimes a few minutes apart).
> > 
> > I tried Google for info on recent activity on this port, but found
> > nothing. No luck here either:
> > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> > 
> > Anybody out there experiencing the same? Should I report it somewhere?
> > 
> > TIA,
> > 
> > Andre
> > 
> > 
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> 
> -- 
> Andre Oliveira da Costa
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list