Help with odd port scans
I have to admit, I've gotten a little lazy about reading through my firewall logs on my home machine every day, but today, I was looking back through my daily reports for the last 2 weeks and noticed a couple of odd port scans. I've been getting these scans from multiple IPs (2-4 of each per day) everyday for that period. I'll put up a netcat listener this evening to see if I can get some packets, but I was wondering if any of our loyal readers had any idea what is going on here? Based on some of the ports being scanned, I'm guessing they are looking for open proxies to use as relays among other things, but some of those ports are new to me. Has anyone else seen them or know what they are actually looking for?
From aa.bb.cc.dd - 252 packets
To my.home.machine - 252 packets
Service: snmp (udp/161) (IPTABLES UDP-IN:) - 36 packets
Service: 3389 (tcp/3389) (IPTABLES TCP-IN:) - 54 packets
Service: 5900 (tcp/5900) (IPTABLES TCP-IN:) - 54 packets
Service: http-alt (tcp/8080) (IPTABLES TCP-IN:) - 54 packets
Service: 40080 (tcp/40080) (IPTABLES TCP-IN:) - 54 packets
From ee.ff.gg.hh - 32 packets
To my.home.machine - 32 packets
Service: 73 (tcp/73) (IPTABLES TCP-IN:) - 1 packet
Service: socks (tcp/1080) (IPTABLES TCP-IN:) - 1 packet
Service: 2301 (tcp/2301) (IPTABLES TCP-IN:) - 1 packet
Service: 2479 (tcp/2479) (IPTABLES TCP-IN:) - 2 packets
Service: 3128 (tcp/3128) (IPTABLES TCP-IN:) - 2 packets
Service: 3246 (tcp/3246) (IPTABLES TCP-IN:) - 3 packets
Service: 6588 (tcp/6588) (IPTABLES TCP-IN:) - 1 packet
Service: 8000 (tcp/8000) (IPTABLES TCP-IN:) - 2 packets
Service: 8085 (tcp/8085) (IPTABLES TCP-IN:) - 4 packets
Service: 8090 (tcp/8090) (IPTABLES TCP-IN:) - 2 packets
Service: 8118 (tcp/8118) (IPTABLES TCP-IN:) - 1 packet
Service: 9000 (tcp/9000) (IPTABLES TCP-IN:) - 4 packets
Service: 9090 (tcp/9090) (IPTABLES TCP-IN:) - 4 packets
Service: 9415 (tcp/9415) (IPTABLES TCP-IN:) - 2 packets
Service: 27977 (tcp/27977) (IPTABLES TCP-IN:) - 2 packets
---------------
Jim Clausing, GSE #26
jclausing --at-- isc [dot] sans (dot) org
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
Comments
Alan
Nov 24th 2010
1 decade ago
chavez243
Nov 24th 2010
1 decade ago
hcbhatt
Nov 24th 2010
1 decade ago
JimC
Nov 24th 2010
1 decade ago
JimC
Nov 24th 2010
1 decade ago
D
Nov 25th 2010
1 decade ago
That I see everyday in all my webservers.
Also I check what google said about that 12200 sourceport and found one interesting line from one discussion board:
"I guess it may be possible that someone is using ghostsurf to attempt to use someone else's ghostsurf open proxy installation as part of a multilayer proxy."
So maybe just normal scanning all around.
Jillian
Nov 25th 2010
1 decade ago
HackDefendr.com
Nov 25th 2010
1 decade ago
Just like other governments around the world are doing. :-)
JJ
Nov 25th 2010
1 decade ago
CJN
Nov 25th 2010
1 decade ago