[Dshield] Scans on port 3659?

Ed Truitt ed.truitt at etee2k.net
Sun Nov 10 13:01:06 GMT 2002


It might.  Just curious, are you on a dynamic IP address, or a static one?
Quite often, we find here that if you are on a dynamic IP, when your address
changes you start getting "probed" by machines trying to re-connect to
services (P2P, games, etc.) provided by the previous holder of the IP.  No
malicious hacktivity, no sneaky attacks, just good old cruft...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Saturday, November 09, 2002 10:39 AM
Subject: Re: [Dshield] Scans on port 3659?


> Ahhh... "live and learn" ;) Sorry for the paranoia... those networking
> classes took place too long ago, think I'd better review a few concepts
> ;)
>
> I had done a reverse lookup on the IP which linked it to this
> dsl.telesp.net.br. I even tried to contact them asking for explanations,
> but am still waiting for a reply.
>
> Regarding the connections attempts, would it help if instead of dropping
> the requests I reject them with tcp-reset?
>
> Thks again for the help,
>
> Andre
>
> On Fri, 8 Nov 2002 14:46:54 -0600
> "Ed Truitt" <ed.truitt at etee2k.net> wrote:
>
> > Actually, the "3 times" is normal behavior - if your system try to
> > open a connection, and gets no response, then the network stack will
> > try up to 2 more times, just in case the connection request (or the
> > response) got lost. So, it is trying to connect to the port, your
> > firewall is DROPping the connection request, and since the source
> > didn't get a reply it tries again - and again - then gives up.  That
> > gives you the 3 probes.
> >
> > BTW, the only thing open on that IP (a DSL-connected in Brazil) is
> > port 80 - checking for "index.html" produced a timeout, leading me to
> > believe it may be an HTTP proxy server.
> >
> > Cheers,
> > Ed Truitt
> > PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> > http://www.etee2k.net
> > http://www.bsatroop148.org
> >
> > "Note to spammers:  my 'delete' key is connected to YOUR ISP.
> >  Also, if you send me UCE, I reserve the right to post your spew
> > on my Web site, with the appropriate color commentary, so that
> > others may have a good laugh at your expense."
> >
> > ----- Original Message -----
> > From: "Andre Costa" <brblueser at uol.com.br>
> > To: <list at dshield.org>
> > Sent: Friday, November 08, 2002 1:43 PM
> > Subject: Re: [Dshield] Scans on port 3659?
> > [snip]
> > > * 200.168.1.105 is top scanner, appearing 117 times on logs. It
> > > scanned from 39 different ports -- EXACTLY 3 TIMES FOR EACH PORT.
> > > Aside from rare changes on the MO, each source port is tried 3 times
> > > in a row, with 3 seconds between attempts #1 and #2, and 6s between
> > > #2 and #3.
> > >
> > > I don't know, but this smells odd...
> > >
> > > Any other ideas?
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
>
>
> --
> Andre Oliveira da Costa
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list