[Dshield] Scans on port 3659?

keithtarrant@spamcop.net keithtarrant at spamcop.net
Mon Nov 11 20:11:18 GMT 2002


If it is a typo in somone's configuration, or an old server that was
assigned your IP, as people discover the connection is not working they
will be update their settings, so you will see the probes ending.  But
usually this ends over 2-5 days max.

One thing you can pretty well say, if you never have anything listening on
a port (or if the port is stealthed) and you keep getting probes coming in
for it, there is virtually no chance that a human intelligence is
directing the probes to your machine specifically.  Probably they are
either scanning probes, a virus scanning, or they were specifically sent
to whoever had your new IP address before you.

With targetted probing, the direct danger for you with ports you think are
closed on your system, is if someone sends you or your user a trojan
customized to use that supposedly closed port.  But then they wouldn't
send probes often enough  to make you suspicious.  Also they'd use a port
that had a known innocent use, but that wasn't a service you ran.  You'd
have gotten a trojan in your email or mailed on a CD, and once installed
you'd see the trojan listening on the specified port.

- Keith

----- Original Message -----
From: "Andre Costa" <brblueser at uol.com.br>
To: <list at dshield.org>
Sent: Sunday, November 10, 2002 11:04 AM
Subject: Re: [Dshield] Scans on port 3659?


> Hi Ed,
>
> usually, I get the same IP (200.255.184.111), but sometimes DHCP assigns
> me a different one (right now it is 200.255.184.241). So, to make a long
> story short, yes, it is dynamic.
>
> This (using the IP of a former game server) would indeed be a reasonable
> explanation for all this probing. I will try rejecting these connections
> with tcp-reset to see what happens.
>
> ... or maybe I won't: it's been almost two days already port 3659
> remains calm on my machine. Maybe whatever was happening ended, for some
> reason (maybe dsl.telesp.net.br admin read my msg and took same action).
> I will keep my eyes opened, though.
>
> Thks again for the insights.
>
> Best,
>
> Andre
>
> On Sun, 10 Nov 2002 07:01:06 -0600
> "Ed Truitt" <ed.truitt at etee2k.net> wrote:
>
> > It might.  Just curious, are you on a dynamic IP address, or a static
> > one? Quite often, we find here that if you are on a dynamic IP, when
> > your address changes you start getting "probed" by machines trying to
> > re-connect to services (P2P, games, etc.) provided by the previous
> > holder of the IP.  No malicious hacktivity, no sneaky attacks, just
> > good old cruft...
> >
> > Cheers,
> > Ed Truitt
> > PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> > http://www.etee2k.net
> > http://www.bsatroop148.org
> >
> > "Note to spammers:  my 'delete' key is connected to YOUR ISP.
> >  Also, if you send me UCE, I reserve the right to post your spew
> > on my Web site, with the appropriate color commentary, so that
> > others may have a good laugh at your expense."
> >
> > ----- Original Message -----
> > From: "Andre Costa" <brblueser at uol.com.br>
> > To: <list at dshield.org>
> > Sent: Saturday, November 09, 2002 10:39 AM
> > Subject: Re: [Dshield] Scans on port 3659?
> >
> >
> > > Ahhh... "live and learn" ;) Sorry for the paranoia... those
> > > networking classes took place too long ago, think I'd better review
> > > a few concepts;)
> > >
> > > I had done a reverse lookup on the IP which linked it to this
> > > dsl.telesp.net.br. I even tried to contact them asking for
> > > explanations, but am still waiting for a reply.
> > >
> > > Regarding the connections attempts, would it help if instead of
> > > dropping the requests I reject them with tcp-reset?
> > >
> > > Thks again for the help,
> > >
> > > Andre
>
> --
> Andre Oliveira da Costa
>
>





More information about the list mailing list