[Dshield] Scans on port 3659?

Andre Costa brblueser at uol.com.br
Tue Nov 12 13:54:13 GMT 2002


Hi Keith,

On Mon, 11 Nov 2002 14:11:18 -0600
keithtarrant at spamcop.net wrote:

> If it is a typo in somone's configuration, or an old server that was
> assigned your IP, as people discover the connection is not working
> they will be update their settings, so you will see the probes ending.
>  But
> usually this ends over 2-5 days max.

I guess you're right, probing ceased after about a week. I was not
affraid of something bad happening to my system, since I was indeed
blocking the probes. I was more curious about if this could be part of a
larger-scale scheme, in which case maybe others should be warned about
it.

> One thing you can pretty well say, if you never have anything
> listening on a port (or if the port is stealthed) and you keep getting
> probes coming in for it, there is virtually no chance that a human
> intelligence is directing the probes to your machine specifically. 
> Probably they are either scanning probes, a virus scanning, or they
> were specifically sent to whoever had your new IP address before you.
> 
> With targetted probing, the direct danger for you with ports you think
> are closed on your system, is if someone sends you or your user a
> trojan customized to use that supposedly closed port.  But then they
> wouldn't send probes often enough  to make you suspicious.  Also
> they'd use a port that had a known innocent use, but that wasn't a
> service you ran.  You'd have gotten a trojan in your email or mailed
> on a CD, and once installed you'd see the trojan listening on the
> specified port.

Thks for the explanation, it makes perfect sense. My box is a 1-user
machine (me ;) ), which kind of makes it reasonably free from trojans (I
am not new to Linux). I do some auditing pretty often on live ports, and
my iptables configuration allows only restricted traffic to flow in and
out. I am not saying I am free of any risk, but IMHO I got it reasonably
under control.

I guess this (and the fact the probing ceased) pretty much ends this
thread. As a result, I talked to a bunch of good people and learned many
things (the main one being wait a little before reporting weird probing
=) )

Thks to all who replied for the ideas and the patience.

Best,

Andre

-- 
Andre Oliveira da Costa




More information about the list mailing list