1. Home
  2. Networking Firewalls
  3. Port scan activty

Port scan activty

I've been using Sygate Personal Firewall(free version) for at least two years. Sygate gives me frequent port scan alerts that are always the same:

There were thirteen of these scans within the last week. Most days, there are 2-3 scan attempts per day. My machine is only connected via DSL when it's on; when I'm not using it, it is often off. Thus, there may have been more scan attempts than what's been recorded.

All attempts originate from one "Remote MAC" and four separate hosts. Every event scans four ports, seemingly at random, except that there's some clustering around certain port numbers. Most scans include port

1030. The second most common port scanned is 1033. The remainder are mostly random numbers close to 1030. There is often one scanned port in the 4000 range.

Can someone tell me what this activity is?

Thanks.

Richard

Reply to
Richard Steinfeld
Loading thread data ...

Google 'port xxx' works very well. In case, see

formatting link

Reply to
Jeff B

Thanks. I know about the vulnerability.

However, what I'm most curious about is the regularity of the attack. Each event consists of exactly four probes. I'd like to know about who and what is the cause of this particular activity. Back-tracing always produces vague information, like "...address is really world-wide." The MO is relentless; I've been intercepting these things for well beyond an entire year.

Richard

Reply to
Richard Steinfeld

"Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows)"

It seems that GRC do not know, what they're writing about here.

Yours, VB.

Reply to
Volker Birk

'relentless' is how they succeed. one day the make a penetration and then they've got you.

just smile and keep up the good work. btw, if I log my intercepts, I've been seeing this too for a L O N G time now.

Reply to
Jeff B

You are not providing adaquate detail, but why do you care where the activity comes from? There is no "Internet Police" that is going to arrest anyone. Your firewall is blocking it. That's fine. Ignore it.

You are asking the wrong 'whois' server. For example, if I ask RIPE about an address assigned from AFRINIC, APNIC, ARIN, or LACNIC (the other four "Regional Internet Registrars", I am told

inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-RIPE admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED remarks: The country is really worldwide. remarks: This address space is assigned at various other places in remarks: the world and might therefore not be in the RIPE database.

which is their way of telling me I asked the wrong question, or the wrong server. The five RIRs do not keep track of IP space assigned from the other RIRs. As there are about 71,000 direct assignments from the RIRs, this is not surprising.

Ignore it. It is noise, the result of people using computers when they lack the skills to be using something as complicated as a push button telephone.

Old guy

Reply to
Moe Trin

If your firewall protection is ever momentarily weak, that can be the result. Relentless active scanning is how you beat that. It's your second line of defense.

Reply to
Quaestor

Haha, that was great. :) I'll have to remember that line.

Reply to
Renegade

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.