[TriLUG] are these port scanners?

Matt Flyer matt at noway2.thruhere.net
Sun May 13 10:55:22 EDT 2012


On 05/13/2012 10:31 AM, Joseph Mack NA3T wrote:
> Now that I've written my own firewall rules, I LOG all dropped packets
> and looking at them to see if there's anything interesting. I'm being
> overwhelmed by dropped packets and there's not much hope of me seeing
> anything I should take notice of (like a persistent machine attempting
> to penetrate). I'm getting packets like these from a high port to a
> high port about every 2 secs.
>
> May 13 14:19:21 routera kernel: firewall logdrop: IN=eth2 OUT=
> MAC=00:a0:24:5e:0b:7d:00:90:1a:41:1b:55:08:00 SRC=190.135.50.221
> DST=50.55.129.200 LEN=58 TOS=0x00 PREC=0x00 TTL=49 ID=23 PROTO=UDP
> SPT=39114 DPT=47518 LEN=38
>
> Most often the SRC host doesn't resolve to a hostname. This packet
> above, from Uraguay, does.
>
> root at routera:/var/log# host 190.135.50.221
> 221.50.135.190.in-addr.arpa domain name pointer
> r190-135-50-221.dialup.adsl.anteldata.net.uy.
>
> As these machines just scanning all my high ports? Why? Just to see if
> they get a reply?
>
> Joe
It looks to me like, yes, they are port scanners.  Probably pat of a
bot-net on someone's exploited server.  I am not sure why they would
scan such high port numbers.  Those particular numbers aren't even
associated with any service.  Sometimes a specific exploit tool will use
a particular high port number to help obfuscate its' presence, but I
can't see much benefit to this type of scan.




More information about the TriLUG mailing list