[Dshield] Scans on port 3659?

ALEPH0 aleph0 at pacbell.net
Fri Nov 8 19:24:31 GMT 2002


Do a netstat.  The "-p" option (under linux) will give you PIDs and program
names for your listeners.  If you aren't listening on that port, it might be
yet another trojan port that someone is trawling for infectees.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Ed Truitt
Sent: Friday, November 08, 2002 9:47 AM
To: list at dshield.org
Subject: Re: [Dshield] Scans on port 3659?


Have you tried running the netstat command to see if you have anything
listening on that port?  If you don't have something listening, then it is
probably not legit traffic.  If you do, then you need to look at what it is
and determine if it is legit or not.

Port 3659 is not assigned according to IANA.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Friday, November 08, 2002 7:58 AM
Subject: Re: [Dshield] Scans on port 3659?


> Hi all,
>
> I feel silly to reply to my own post, but TCP traffic to my port 3659
> keeps coming (1584 times on the last 48h on Linux only -- if I add hits
> while I've been on Win2k on the same machine, this would scale up). Is
> this legitimate traffic? If not, is this a known exploit?
>
> TIA,
>
> Andre
>
> On Thu, 7 Nov 2002 14:53:01 -0200
> André Costa <brblueser at uol.com.br> wrote:
>
> > Hi all,
> >
> > I am new to this list and to firewall maintenance in general, so
> > please bear with any stupid thing I might say ;) Also, if this is not
> > the right place for such questions, please apologize and direct me
> > somewhere else.
> >
> > I have a dual boot machine here at home, with Win2k Pro and RH Linux
> > 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate Personal
> > Firewall on Win2k and iptables on Linux, both seem to be working fine.
> >
> > For the last two days I've been blocking TCP scans on my port 3659
> > like hell. These seem to come from different ports on the same
> > machines as in:(taken from exported SPF logs)
> >
> > [snip]
> > 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> > 200.168.1.105   3950    200.255.184.111 3659            3
> > 11/07/2002 13:32:05     11/07/2
> > 002 13:32:14    Block_all
> > 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> > 200.168.1.105   3992    200.255.184.111 3659            3
> > 11/07/2002 13:32:48     11/07/2
> > 002 13:32:57    Block_all
> > 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> > 200.168.1.105   4069    200.255.184.111 3659            3
> > 11/07/2002 13:36:18     11/07/2
> > 002 13:36:27    Block_all
> > 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> > 200.168.1.105   4095    200.255.184.111 3659            3
> > 11/07/2002 13:36:54     11/07/2
> > 002 13:37:03    Block_all
> > 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> > 200.168.1.105   4117    200.255.184.111 3659            3
> > 11/07/2002 13:37:17     11/07/2
> > 002 13:37:26    Block_all
> > 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> > 200.168.1.105   4139    200.255.184.111 3659            3
> > 11/07/2002 13:37:37     11/07/2
> > 002 13:37:46    Block_all
> > [snip]
> >
> > But it also comes from different sources as well (many times a day,
> > sometimes a few minutes apart).
> >
> > I tried Google for info on recent activity on this port, but found
> > nothing. No luck here either:
> > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> >
> > Anybody out there experiencing the same? Should I report it somewhere?
> >
> > TIA,
> >
> > Andre
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
>
>
> --
> Andre Oliveira da Costa
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list