[Dshield] Scans on port 3659?

Tom Liston tliston at premmag.com
Fri Nov 8 21:41:55 GMT 2002


Can you put something like netcat listening on that port??

-TL

On 8 Nov 2002 at 17:43, Andre Costa wrote:

> Thks for replying, Ed (you too, Tom),
> 
> On Fri, 8 Nov 2002 11:47:17 -0600
> "Ed Truitt" <ed.truitt at etee2k.net> wrote:
> 
> > Have you tried running the netstat command to see if you have anything
> > listening on that port?  If you don't have something listening, then
> > it is probably not legit traffic.  If you do, then you need to look at
> > what it is and determine if it is legit or not.
> 
> Although this would be a good explanation (even for these scans
> happening more when I am on Linux than on Winblows), I don't have
> anything listening on port 3659:
> 
> ~ netstat -tap
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
> tcp        0      0 shadow.home:953         *:*                     LISTEN      509/named           
> 
> > Port 3659 is not assigned according to IANA.
> 
> Right, I had checked that. This just makes it even more strange... since
> my last post, I have suffered 196 new scans. Some statistics:
> 
> * first scan happened Nov  6 12:16:36 (GMT -0300)
> 
> * 163 different sites scanned my port 3659 TCP since then
> 
> * 200.168.1.105 is top scanner, appearing 117 times on logs. It scanned
> from 39 different ports -- EXACTLY 3 TIMES FOR EACH PORT. Aside from
> rare changes on the MO, each source port is tried 3 times in a row, with
> 3 seconds between attempts #1 and #2, and 6s between #2 and #3.
> 
> I don't know, but this smells odd...
> 
> Any other ideas?
> 
> Thks for your attention,
> 
> Andre
> 
> > ----- Original Message -----
> > From: "Andre Costa" <brblueser at uol.com.br>
> > To: <list at dshield.org>
> > Sent: Friday, November 08, 2002 7:58 AM
> > Subject: Re: [Dshield] Scans on port 3659?
> > 
> > 
> > > Hi all,
> > >
> > > I feel silly to reply to my own post, but TCP traffic to my port
> > > 3659 keeps coming (1584 times on the last 48h on Linux only -- if I
> > > add hits while I've been on Win2k on the same machine, this would
> > > scale up). Is this legitimate traffic? If not, is this a known
> > > exploit?
> > >
> > > TIA,
> > >
> > > Andre
> > >
> > > On Thu, 7 Nov 2002 14:53:01 -0200
> > > André Costa <brblueser at uol.com.br> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I am new to this list and to firewall maintenance in general, so
> > > > please bear with any stupid thing I might say ;) Also, if this is
> > > > not the right place for such questions, please apologize and
> > > > direct me somewhere else.
> > > >
> > > > I have a dual boot machine here at home, with Win2k Pro and RH
> > > > Linux 7.1(kernel 2.4.19), connected to a cablemodem. I have Sygate
> > > > Personal Firewall on Win2k and iptables on Linux, both seem to be
> > > > working fine.
> > > >
> > > > For the last two days I've been blocking TCP scans on my port 3659
> > > > like hell. These seem to come from different ports on the same
> > > > machines as in:(taken from exported SPF logs)
> > > >
> > > > [snip]
> > > > 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> > > > 200.168.1.105   3950    200.255.184.111 3659            3
> > > > 11/07/2002 13:32:05     11/07/2
> > > > 002 13:32:14    Block_all
> > > > 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> > > > 200.168.1.105   3992    200.255.184.111 3659            3
> > > > 11/07/2002 13:32:48     11/07/2
> > > > 002 13:32:57    Block_all
> > > > 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> > > > 200.168.1.105   4069    200.255.184.111 3659            3
> > > > 11/07/2002 13:36:18     11/07/2
> > > > 002 13:36:27    Block_all
> > > > 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> > > > 200.168.1.105   4095    200.255.184.111 3659            3
> > > > 11/07/2002 13:36:54     11/07/2
> > > > 002 13:37:03    Block_all
> > > > 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> > > > 200.168.1.105   4117    200.255.184.111 3659            3
> > > > 11/07/2002 13:37:17     11/07/2
> > > > 002 13:37:26    Block_all
> > > > 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> > > > 200.168.1.105   4139    200.255.184.111 3659            3
> > > > 11/07/2002 13:37:37     11/07/2
> > > > 002 13:37:46    Block_all
> > > > [snip]
> > > >
> > > > But it also comes from different sources as well (many times a
> > > > day, sometimes a few minutes apart).
> > > >
> > > > I tried Google for info on recent activity on this port, but found
> > > > nothing. No luck here either:
> > > > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> > > >
> > > > Anybody out there experiencing the same? Should I report it
> > > > somewhere?
> > > >
> > > > TIA,
> > > >
> > > > Andre
> > > >
> > > >
> > > > ---
> > > > Outgoing mail is certified Virus Free.
> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
> > > >
> > > > _______________________________________________
> > > > Dshield mailing list
> > > > Dshield at dshield.org
> > > > To change your subscription options (or unsubscribe), see:
> > > > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > > --
> > > Andre Oliveira da Costa
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > >
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> 
> -- 
> Andre Oliveira da Costa
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list