[Dshield] Scans on port 3659?
ed.truitt at etee2k.net
Fri Nov 8 17:47:17 GMT 2002
Have you tried running the netstat command to see if you have anything
listening on that port? If you don't have something listening, then it is
probably not legit traffic. If you do, then you need to look at what it is
and determine if it is legit or not.
Port 3659 is not assigned according to IANA.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Friday, November 08, 2002 7:58 AM
Subject: Re: [Dshield] Scans on port 3659?
> Hi all,
> I feel silly to reply to my own post, but TCP traffic to my port 3659
> keeps coming (1584 times on the last 48h on Linux only -- if I add hits
> while I've been on Win2k on the same machine, this would scale up). Is
> this legitimate traffic? If not, is this a known exploit?
> On Thu, 7 Nov 2002 14:53:01 -0200
> André Costa <brblueser at uol.com.br> wrote:
> > Hi all,
> > I am new to this list and to firewall maintenance in general, so
> > please bear with any stupid thing I might say ;) Also, if this is not
> > the right place for such questions, please apologize and direct me
> > somewhere else.
> > I have a dual boot machine here at home, with Win2k Pro and RH Linux
> > 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate Personal
> > Firewall on Win2k and iptables on Linux, both seem to be working fine.
> > For the last two days I've been blocking TCP scans on my port 3659
> > like hell. These seem to come from different ports on the same
> > machines as in:(taken from exported SPF logs)
> > [snip]
> > 1476 11/07/2002 13:33:16 Blocked TCP Incoming
> > 220.127.116.11 3950 18.104.22.168 3659 3
> > 11/07/2002 13:32:05 11/07/2
> > 002 13:32:14 Block_all
> > 1478 11/07/2002 13:34:02 Blocked TCP Incoming
> > 22.214.171.124 3992 126.96.36.199 3659 3
> > 11/07/2002 13:32:48 11/07/2
> > 002 13:32:57 Block_all
> > 1480 11/07/2002 13:37:28 Blocked TCP Incoming
> > 188.8.131.52 4069 184.108.40.206 3659 3
> > 11/07/2002 13:36:18 11/07/2
> > 002 13:36:27 Block_all
> > 1481 11/07/2002 13:38:09 Blocked TCP Incoming
> > 220.127.116.11 4095 18.104.22.168 3659 3
> > 11/07/2002 13:36:54 11/07/2
> > 002 13:37:03 Block_all
> > 1482 11/07/2002 13:38:29 Blocked TCP Incoming
> > 22.214.171.124 4117 126.96.36.199 3659 3
> > 11/07/2002 13:37:17 11/07/2
> > 002 13:37:26 Block_all
> > 1483 11/07/2002 13:38:50 Blocked TCP Incoming
> > 188.8.131.52 4139 184.108.40.206 3659 3
> > 11/07/2002 13:37:37 11/07/2
> > 002 13:37:46 Block_all
> > [snip]
> > But it also comes from different sources as well (many times a day,
> > sometimes a few minutes apart).
> > I tried Google for info on recent activity on this port, but found
> > nothing. No luck here either:
> > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> > Anybody out there experiencing the same? Should I report it somewhere?
> > TIA,
> > Andre
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> Andre Oliveira da Costa
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list