[Dshield] Scans on port 3659?
ed.truitt at etee2k.net
Fri Nov 8 17:47:17 GMT 2002
Have you tried running the netstat command to see if you have anything
listening on that port? If you don't have something listening, then it is
probably not legit traffic. If you do, then you need to look at what it is
and determine if it is legit or not.
Port 3659 is not assigned according to IANA.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Friday, November 08, 2002 7:58 AM
Subject: Re: [Dshield] Scans on port 3659?
> Hi all,
> I feel silly to reply to my own post, but TCP traffic to my port 3659
> keeps coming (1584 times on the last 48h on Linux only -- if I add hits
> while I've been on Win2k on the same machine, this would scale up). Is
> this legitimate traffic? If not, is this a known exploit?
> On Thu, 7 Nov 2002 14:53:01 -0200
> André Costa <brblueser at uol.com.br> wrote:
> > Hi all,
> > I am new to this list and to firewall maintenance in general, so
> > please bear with any stupid thing I might say ;) Also, if this is not
> > the right place for such questions, please apologize and direct me
> > somewhere else.
> > I have a dual boot machine here at home, with Win2k Pro and RH Linux
> > 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate Personal
> > Firewall on Win2k and iptables on Linux, both seem to be working fine.
> > For the last two days I've been blocking TCP scans on my port 3659
> > like hell. These seem to come from different ports on the same
> > machines as in:(taken from exported SPF logs)
> > [snip]
> > 1476 11/07/2002 13:33:16 Blocked TCP Incoming
> > 126.96.36.199 3950 188.8.131.52 3659 3
> > 11/07/2002 13:32:05 11/07/2
> > 002 13:32:14 Block_all
> > 1478 11/07/2002 13:34:02 Blocked TCP Incoming
> > 184.108.40.206 3992 220.127.116.11 3659 3
> > 11/07/2002 13:32:48 11/07/2
> > 002 13:32:57 Block_all
> > 1480 11/07/2002 13:37:28 Blocked TCP Incoming
> > 18.104.22.168 4069 22.214.171.124 3659 3
> > 11/07/2002 13:36:18 11/07/2
> > 002 13:36:27 Block_all
> > 1481 11/07/2002 13:38:09 Blocked TCP Incoming
> > 126.96.36.199 4095 188.8.131.52 3659 3
> > 11/07/2002 13:36:54 11/07/2
> > 002 13:37:03 Block_all
> > 1482 11/07/2002 13:38:29 Blocked TCP Incoming
> > 184.108.40.206 4117 220.127.116.11 3659 3
> > 11/07/2002 13:37:17 11/07/2
> > 002 13:37:26 Block_all
> > 1483 11/07/2002 13:38:50 Blocked TCP Incoming
> > 18.104.22.168 4139 22.214.171.124 3659 3
> > 11/07/2002 13:37:37 11/07/2
> > 002 13:37:46 Block_all
> > [snip]
> > But it also comes from different sources as well (many times a day,
> > sometimes a few minutes apart).
> > I tried Google for info on recent activity on this port, but found
> > nothing. No luck here either:
> > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> > Anybody out there experiencing the same? Should I report it somewhere?
> > TIA,
> > Andre
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> Andre Oliveira da Costa
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list