[Dshield] Scans on port 3659?

Andre Costa brblueser at uol.com.br
Sat Nov 9 16:39:27 GMT 2002


Ahhh... "live and learn" ;) Sorry for the paranoia... those networking
classes took place too long ago, think I'd better review a few concepts
;)

I had done a reverse lookup on the IP which linked it to this
dsl.telesp.net.br. I even tried to contact them asking for explanations,
but am still waiting for a reply.

Regarding the connections attempts, would it help if instead of dropping
the requests I reject them with tcp-reset?

Thks again for the help,

Andre

On Fri, 8 Nov 2002 14:46:54 -0600
"Ed Truitt" <ed.truitt at etee2k.net> wrote:

> Actually, the "3 times" is normal behavior - if your system try to
> open a connection, and gets no response, then the network stack will
> try up to 2 more times, just in case the connection request (or the
> response) got lost. So, it is trying to connect to the port, your
> firewall is DROPping the connection request, and since the source
> didn't get a reply it tries again - and again - then gives up.  That
> gives you the 3 probes.
> 
> BTW, the only thing open on that IP (a DSL-connected in Brazil) is
> port 80 - checking for "index.html" produced a timeout, leading me to
> believe it may be an HTTP proxy server.
> 
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
> 
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
> 
> ----- Original Message -----
> From: "Andre Costa" <brblueser at uol.com.br>
> To: <list at dshield.org>
> Sent: Friday, November 08, 2002 1:43 PM
> Subject: Re: [Dshield] Scans on port 3659?
> [snip]
> > * 200.168.1.105 is top scanner, appearing 117 times on logs. It
> > scanned from 39 different ports -- EXACTLY 3 TIMES FOR EACH PORT.
> > Aside from rare changes on the MO, each source port is tried 3 times
> > in a row, with 3 seconds between attempts #1 and #2, and 6s between
> > #2 and #3.
> >
> > I don't know, but this smells odd...
> >
> > Any other ideas?
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list


-- 
Andre Oliveira da Costa




More information about the list mailing list