[Dshield] Scans on port 3659?

Russell Washington russ.washington at vaultsentry.com
Fri Nov 8 20:10:01 GMT 2002


Dumb suggestion, but it could be a game port... Google search turned up a
reference to some game called "Delta Force" listening on port 3568-3569.  If
someone (incorrectly) thinks your IP is supposed to be listening, maybe
they're trying to talk to it?

-----Original Message-----
From: Andre Costa [mailto:brblueser at uol.com.br] 
Sent: Friday, November 08, 2002 11:44 AM
To: list at dshield.org
Subject: Re: [Dshield] Scans on port 3659?


Thks for replying, Ed (you too, Tom),

On Fri, 8 Nov 2002 11:47:17 -0600
"Ed Truitt" <ed.truitt at etee2k.net> wrote:

> Have you tried running the netstat command to see if you have anything 
> listening on that port?  If you don't have something listening, then 
> it is probably not legit traffic.  If you do, then you need to look at 
> what it is and determine if it is legit or not.

Although this would be a good explanation (even for these scans happening
more when I am on Linux than on Winblows), I don't have anything listening
on port 3659:

~ netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name   
tcp        0      0 shadow.home:953         *:*                     LISTEN
509/named           

> Port 3659 is not assigned according to IANA.

Right, I had checked that. This just makes it even more strange... since my
last post, I have suffered 196 new scans. Some statistics:

* first scan happened Nov  6 12:16:36 (GMT -0300)

* 163 different sites scanned my port 3659 TCP since then

* 200.168.1.105 is top scanner, appearing 117 times on logs. It scanned from
39 different ports -- EXACTLY 3 TIMES FOR EACH PORT. Aside from rare changes
on the MO, each source port is tried 3 times in a row, with 3 seconds
between attempts #1 and #2, and 6s between #2 and #3.

I don't know, but this smells odd...

Any other ideas?

Thks for your attention,

Andre

> ----- Original Message -----
> From: "Andre Costa" <brblueser at uol.com.br>
> To: <list at dshield.org>
> Sent: Friday, November 08, 2002 7:58 AM
> Subject: Re: [Dshield] Scans on port 3659?
> 
> 
> > Hi all,
> >
> > I feel silly to reply to my own post, but TCP traffic to my port 
> > 3659 keeps coming (1584 times on the last 48h on Linux only -- if I 
> > add hits while I've been on Win2k on the same machine, this would 
> > scale up). Is this legitimate traffic? If not, is this a known 
> > exploit?
> >
> > TIA,
> >
> > Andre
> >
> > On Thu, 7 Nov 2002 14:53:01 -0200
> > André Costa <brblueser at uol.com.br> wrote:
> >
> > > Hi all,
> > >
> > > I am new to this list and to firewall maintenance in general, so 
> > > please bear with any stupid thing I might say ;) Also, if this is 
> > > not the right place for such questions, please apologize and 
> > > direct me somewhere else.
> > >
> > > I have a dual boot machine here at home, with Win2k Pro and RH 
> > > Linux 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate 
> > > Personal Firewall on Win2k and iptables on Linux, both seem to be 
> > > working fine.
> > >
> > > For the last two days I've been blocking TCP scans on my port 3659 
> > > like hell. These seem to come from different ports on the same 
> > > machines as in:(taken from exported SPF logs)
> > >
> > > [snip]
> > > 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> > > 200.168.1.105   3950    200.255.184.111 3659            3
> > > 11/07/2002 13:32:05     11/07/2
> > > 002 13:32:14    Block_all
> > > 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> > > 200.168.1.105   3992    200.255.184.111 3659            3
> > > 11/07/2002 13:32:48     11/07/2
> > > 002 13:32:57    Block_all
> > > 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> > > 200.168.1.105   4069    200.255.184.111 3659            3
> > > 11/07/2002 13:36:18     11/07/2
> > > 002 13:36:27    Block_all
> > > 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> > > 200.168.1.105   4095    200.255.184.111 3659            3
> > > 11/07/2002 13:36:54     11/07/2
> > > 002 13:37:03    Block_all
> > > 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> > > 200.168.1.105   4117    200.255.184.111 3659            3
> > > 11/07/2002 13:37:17     11/07/2
> > > 002 13:37:26    Block_all
> > > 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> > > 200.168.1.105   4139    200.255.184.111 3659            3
> > > 11/07/2002 13:37:37     11/07/2
> > > 002 13:37:46    Block_all
> > > [snip]
> > >
> > > But it also comes from different sources as well (many times a 
> > > day, sometimes a few minutes apart).
> > >
> > > I tried Google for info on recent activity on this port, but found 
> > > nothing. No luck here either: 
> > > http://www.linuxsecurity.com/resource_files/firewalls/firewall-see
> > > n.html
> > >
> > > Anybody out there experiencing the same? Should I report it 
> > > somewhere?
> > >
> > > TIA,
> > >
> > > Andre
> > >
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see: 
> > > http://www.dshield.org/mailman/listinfo/list
> >
> >
> > --
> > Andre Oliveira da Costa
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list


-- 
Andre Oliveira da Costa

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list