• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

out going portsweep

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
aftermath

aftermath

Member
Joined
Jan 29, 2002
Location
The Big Brother Nation
IDS log said:
Date: 03/13 10:56:16 Name: (portscan) TCP Portsweep
Priority: n/a Type: n/a
IP info: 78.32.221.106:n/a -> 209.85.137.83:n/a
References: none found
Click to expand...
I am using SmoothWall 3.
It appears as though I have been port scanning Google and a few other sites.
I tried to run GMER on all of my servers last night but one server hung.
I have F-Secure on all the PCs here but scanning is very slow on one server (the one that hung) and a laptop.

How is the best way to find where this is coming from? Could I set up TCPdump on the smothie's green nic to report the origin of the scan?
Could it be the smoothie itself has been compromised? :eek:

It does not seam to coincide with Google's spider.

HJT loged gopher prefix but I have never had a redirect:confused:

T.I.A.
 
aftermath said:
I am using SmoothWall 3.
It appears as though I have been port scanning Google and a few other sites.
I tried to run GMER on all of my servers last night but one server hung.
I have F-Secure on all the PCs here but scanning is very slow on one server (the one that hung) and a laptop.

How is the best way to find where this is coming from? Could I set up TCPdump on the smothie's green nic to report the origin of the scan?
Could it be the smoothie itself has been compromised? :eek:

It does not seam to coincide with Google's spider.

HJT loged gopher prefix but I have never had a redirect:confused:

T.I.A.
Click to expand...

are you sure it wasnt an outside port scan? those look like 2 external IP's

if you did a internal port to the net you would or should have gotten a classified IP > External IP IDS log entry would you not?


edit: also, keep in mind, people do sweeps on external IP's all the time to see what is happening or what they can get into.
 
Thanks for the reply gangaskan
78.32.221.106 is one of my public IPs

IDS log said:
Date: 03/13 00:59:36 Name: SQL version overflow attempt
Priority: 1 Type: Attempted Administrator Privilege Gain
IP info: 221.233.242.4:2406 -> 78.32.221.106:1434
References: 1 2 3 4
Click to expand...
That is an example of an incoming attack(one which is blocked by firewall and automatically blocks that IP for 5 days too)
 
aftermath said:
Thanks for the reply gangaskan
78.32.221.106 is one of my public IPs


That is an example of an incoming attack(one which is blocked by firewall and automatically blocks that IP for 5 days too)
Click to expand...

yup, sounds like someone was sweeping that range :) it happens all the time.
 
Yes but the port scan is coming from my IP and scanning Goolge.
I need to find where its originating in my network.
Just posted the SQL loged hack attempt as an example of in bound traffic.
 
aftermath said:
Yes but the port scan is coming from my IP and scanning Goolge.
I need to find where its originating in my network.
Just posted the SQL loged hack attempt as an example of in bound traffic.
Click to expand...

Well personally I manage some IDS systems and get similar warnings when people open up firefox with a lot of saved tabs. There are so many simultaneous connections (sometimes to the same server) that it might mistake it for a portscan.

See if you can repeat it somehow with your own actions (I could). I don't think any troijans would be targeting google from your network.
 
=ACID RAIN= said:
Put wireshark on all the machines and give them a few minutes. Or you could run them all through a proxy with wireshark.
Click to expand...

Ill try that thanks

dropadrop said:
Well personally I manage some IDS systems and get similar warnings when people open up firefox with a lot of saved tabs. There are so many simultaneous connections (sometimes to the same server) that it might mistake it for a portscan.

See if you can repeat it somehow with your own actions (I could). I don't think any troijans would be targeting google from your network.
Click to expand...

that's a possibility, I hibernate my laptop with loads of tabs Its not on today so ill go check the logs now.
 
it could be an application checking that there is a live internet connection before it tries to do what it wants to do.
 
You must log in or register to reply here.

Similar threads

M
Setting up a dedicated firewall running Debian. (IPtables and QOS help)
Replies
3
Views
3K
grumperfish
grumperfish
C
squidguard hates me
Replies
1
Views
6K
CougarSE
C
David
  • Locked
The AltOS FAQ
Replies
6
Views
4K
SickBoy
S
Back