Re: Confessions of a reluctant port scanner

To: Patrick Albuquerque <patrickq@mts.net>, debian-user@lists.debian.org
Subject: Re: Confessions of a reluctant port scanner
From: Bruce Banner <bruc3_banner@yahoo.com>
Date: Sun, 13 Jul 2003 19:42:29 -0700 (PDT)
Message-id: <[🔎] 20030714024229.81791.qmail@web21405.mail.yahoo.com>
In-reply-to: <[🔎] 20030714013117.GA13741@mts.net>

It doesn't look like anything to worry about they are
false positives leaving your network.  Your network is
a private network 192.168.1.x and the false attacks
are you hitting a dns probably your dns and your
network hitting a website.  192.168.1 is a private
network range that means they are unroutable on the
public internet unless statically routed.  I would say
they are false positives.  When running nmap run it on
your eth0 interface as opposed to your loopback this
can give different results.  check your home_net and
dns server entries in snort.conf.  


There is a script in cron.weekly that starts lpd once
a week.
--- Patrick Albuquerque <patrickq@mts.net> wrote:
> Hello,
> 
> Anyone have an idea why I'm a portscanner?
> I'm running unstable, dsl thru a router.
> 
> Some sample snort output:
> 
> [**] [117:1:1] (spp_portscan2) Portscan detected
> from 192.168.1.1: 6
> targets 6 ports in 19 seconds
> [**]
> 07/13-15:11:32.418841 192.168.1.1:32769 ->
> 198.32.64.12:53
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:71 DF
> Len: 43
> 
> [**] [117:1:1] (spp_portscan2) Portscan detected
> from 192.168.1.1: 6
> targets 6 ports in 52 seconds
> [**]
> 07/13-15:25:53.462024 192.168.1.1:34869 ->
> 66.35.250.150:80
> TCP TTL:64 TOS:0x0 ID:45297 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0x51642A4F  Ack: 0x0  Win: 0x16D0 
> TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 1350334 0
> NOP WS: 0
> 
> whois says these particular targets are 
> 	OrgName:    Exchange Point Blocks
> 	OrgName:    Cable & Wireless
> and I have no connection to them AFAICT.
> 
> nmap localhost says:
> Starting nmap 3.27 ( www.insecure.org/nmap/ ) at
> 2003-07-13 20:25 CDT
> Interesting ports on loopback (127.0.0.1):
> (The 1618 ports scanned but not shown below are in
> state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 111/tcp    open        sunrpc
> 953/tcp    open        rndc
> 
> Also, every now and then, I notice lpd running.  I
> don't have a printer,
> and lpd is not in /etc/rc2.d
> 
> Sorry, but I'm pretty ignorant regarding
> network/security issues.
> 
> Is it time to panic yet?
> 
> Thanks for any advice.
> 
> Patrick.
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Reply to:

Follow-Ups:
- Re: Confessions of a reluctant port scanner
  - From: Bruce Banner <bruc3_banner@yahoo.com>
- Re: Confessions of a reluctant port scanner
  - From: Patrick Albuquerque <patrickq@mts.net>

References:
- Confessions of a reluctant port scanner
  - From: Patrick Albuquerque <patrickq@mts.net>

Prev by Date: SSH: Corrupted MAC on input error - keeps recurring
Next by Date: Re: Confessions of a reluctant port scanner
Previous by thread: Confessions of a reluctant port scanner
Next by thread: Re: Confessions of a reluctant port scanner
Index(es):
- Date
- Thread