[Dshield] Scans on port 3659?

Ed Truitt ed.truitt at etee2k.net
Fri Nov 8 20:46:54 GMT 2002


Actually, the "3 times" is normal behavior - if your system try to open a
connection, and gets no response, then the network stack will try up to 2
more times, just in case the connection request (or the response) got lost.
So, it is trying to connect to the port, your firewall is DROPping the
connection request, and since the source didn't get a reply it tries again -
and again - then gives up.  That gives you the 3 probes.

BTW, the only thing open on that IP (a DSL-connected in Brazil) is port 80 -
checking for "index.html" produced a timeout, leading me to believe it may
be an HTTP proxy server.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Friday, November 08, 2002 1:43 PM
Subject: Re: [Dshield] Scans on port 3659?
[snip]
> * 200.168.1.105 is top scanner, appearing 117 times on logs. It scanned
> from 39 different ports -- EXACTLY 3 TIMES FOR EACH PORT. Aside from
> rare changes on the MO, each source port is tried 3 times in a row, with
> 3 seconds between attempts #1 and #2, and 6s between #2 and #3.
>
> I don't know, but this smells odd...
>
> Any other ideas?




More information about the list mailing list