[Dshield] Scans on port 3659?

Andre Costa brblueser at uol.com.br
Sat Nov 9 16:30:04 GMT 2002


... I can try. Must confess I have never used it. I have just installed
it and will try to use something useful. Thks for the help.

Best,

Andre

On Fri, 08 Nov 2002 15:41:55 -0600
Tom Liston <tliston at premmag.com> wrote:

> Can you put something like netcat listening on that port??
> 
> -TL
> 
> On 8 Nov 2002 at 17:43, Andre Costa wrote:
> 
> > Thks for replying, Ed (you too, Tom),
> > 
> > On Fri, 8 Nov 2002 11:47:17 -0600
> > "Ed Truitt" <ed.truitt at etee2k.net> wrote:
> > 
> > > Have you tried running the netstat command to see if you have
> > > anything listening on that port?  If you don't have something
> > > listening, then it is probably not legit traffic.  If you do, then
> > > you need to look at what it is and determine if it is legit or
> > > not.
> > 
> > Although this would be a good explanation (even for these scans
> > happening more when I am on Linux than on Winblows), I don't have
> > anything listening on port 3659:
> > 
> > ~ netstat -tap
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address           Foreign Address        
> > State       PID/Program name   tcp        0      0 shadow.home:953  
> >       *:*                     LISTEN      509/named           
> > 
> > > Port 3659 is not assigned according to IANA.
> > 
> > Right, I had checked that. This just makes it even more strange...
> > since my last post, I have suffered 196 new scans. Some statistics:
> > 
> > * first scan happened Nov  6 12:16:36 (GMT -0300)
> > 
> > * 163 different sites scanned my port 3659 TCP since then
> > 
> > * 200.168.1.105 is top scanner, appearing 117 times on logs. It
> > scanned from 39 different ports -- EXACTLY 3 TIMES FOR EACH PORT.
> > Aside from rare changes on the MO, each source port is tried 3 times
> > in a row, with 3 seconds between attempts #1 and #2, and 6s between
> > #2 and #3.
> > 
> > I don't know, but this smells odd...
> > 
> > Any other ideas?
> > 
> > Thks for your attention,
> > 
> > Andre
> > 
> > > ----- Original Message -----
> > > From: "Andre Costa" <brblueser at uol.com.br>
> > > To: <list at dshield.org>
> > > Sent: Friday, November 08, 2002 7:58 AM
> > > Subject: Re: [Dshield] Scans on port 3659?
> > > 
> > > 
> > > > Hi all,
> > > >
> > > > I feel silly to reply to my own post, but TCP traffic to my port
> > > > 3659 keeps coming (1584 times on the last 48h on Linux only --
> > > > if I add hits while I've been on Win2k on the same machine, this
> > > > would scale up). Is this legitimate traffic? If not, is this a
> > > > known exploit?
> > > >
> > > > TIA,
> > > >
> > > > Andre
> > > >
> > > > On Thu, 7 Nov 2002 14:53:01 -0200
> > > > André Costa <brblueser at uol.com.br> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > I am new to this list and to firewall maintenance in general,
> > > > > so please bear with any stupid thing I might say ;) Also, if
> > > > > this is not the right place for such questions, please
> > > > > apologize and direct me somewhere else.
> > > > >
> > > > > I have a dual boot machine here at home, with Win2k Pro and RH
> > > > > Linux 7.1(kernel 2.4.19), connected to a cablemodem. I have
> > > > > Sygate Personal Firewall on Win2k and iptables on Linux, both
> > > > > seem to be working fine.
> > > > >
> > > > > For the last two days I've been blocking TCP scans on my port
> > > > > 3659 like hell. These seem to come from different ports on the
> > > > > same machines as in:(taken from exported SPF logs)
> > > > >
> > > > > [snip]
> > > > > 1476    11/07/2002 13:33:16     Blocked TCP     Incoming
> > > > > 200.168.1.105   3950    200.255.184.111 3659            3
> > > > > 11/07/2002 13:32:05     11/07/2
> > > > > 002 13:32:14    Block_all
> > > > > 1478    11/07/2002 13:34:02     Blocked TCP     Incoming
> > > > > 200.168.1.105   3992    200.255.184.111 3659            3
> > > > > 11/07/2002 13:32:48     11/07/2
> > > > > 002 13:32:57    Block_all
> > > > > 1480    11/07/2002 13:37:28     Blocked TCP     Incoming
> > > > > 200.168.1.105   4069    200.255.184.111 3659            3
> > > > > 11/07/2002 13:36:18     11/07/2
> > > > > 002 13:36:27    Block_all
> > > > > 1481    11/07/2002 13:38:09     Blocked TCP     Incoming
> > > > > 200.168.1.105   4095    200.255.184.111 3659            3
> > > > > 11/07/2002 13:36:54     11/07/2
> > > > > 002 13:37:03    Block_all
> > > > > 1482    11/07/2002 13:38:29     Blocked TCP     Incoming
> > > > > 200.168.1.105   4117    200.255.184.111 3659            3
> > > > > 11/07/2002 13:37:17     11/07/2
> > > > > 002 13:37:26    Block_all
> > > > > 1483    11/07/2002 13:38:50     Blocked TCP     Incoming
> > > > > 200.168.1.105   4139    200.255.184.111 3659            3
> > > > > 11/07/2002 13:37:37     11/07/2
> > > > > 002 13:37:46    Block_all
> > > > > [snip]
> > > > >
> > > > > But it also comes from different sources as well (many times a
> > > > > day, sometimes a few minutes apart).
> > > > >
> > > > > I tried Google for info on recent activity on this port, but
> > > > > found nothing. No luck here either:
> > > > > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
> > > > >
> > > > > Anybody out there experiencing the same? Should I report it
> > > > > somewhere?
> > > > >
> > > > > TIA,
> > > > >
> > > > > Andre
> > > > >
> > > > >
> > > > > ---
> > > > > Outgoing mail is certified Virus Free.
> > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > Version: 6.0.410 / Virus Database: 231 - Release Date:
> > > > > 31/10/2002
> > > > >
> > > > > _______________________________________________
> > > > > Dshield mailing list
> > > > > Dshield at dshield.org
> > > > > To change your subscription options (or unsubscribe), see:
> > > > > http://www.dshield.org/mailman/listinfo/list
> > > >
> > > >
> > > > --
> > > > Andre Oliveira da Costa
> > > >
> > > > _______________________________________________
> > > > Dshield mailing list
> > > > Dshield at dshield.org
> > > > To change your subscription options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > > >
> > > 
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > 
> > 
> > -- 
> > Andre Oliveira da Costa
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list


-- 
Andre Oliveira da Costa




More information about the list mailing list