Sign in with
Sign up | Sign in
Your question

Is there any legit reason for TCP scans?

Last response: in Networking
Share
Anonymous
April 30, 2004 7:20:56 PM

Archived from groups: comp.security.firewalls (More info?)

Tried this question in a couple of other groups, but got no response.

Our production server's firewall is reporting TCP Port Scan from our
development server three or four times an hour, every day. AVG av and
Stinger.exe don't show anything in particular. Is there any legitimate
reason for the activity I'm seeing?


--
William Morris
Product Development, Seritas LLC
Kansas City, Missouri

More about : legit reason tcp scans

Anonymous
April 30, 2004 7:20:57 PM

Archived from groups: comp.security.firewalls (More info?)

William Morris wrote:

> Tried this question in a couple of other groups, but got no response.
>
> Our production server's firewall is reporting TCP Port Scan from our
> development server three or four times an hour, every day. AVG av and
> Stinger.exe don't show anything in particular. Is there any legitimate
> reason for the activity I'm seeing?
>
>
> --
> William Morris
> Product Development, Seritas LLC
> Kansas City, Missouri

My opinion, no. There should be none, in theory, unless it's worms maybe.
Then again, I don't think it's a criminal act, either. But if you don't
appreciate it, contact their ISP and complain.

--
I'm all for computer dating, but I wouldn't want one to marry my sister.
Anonymous
April 30, 2004 8:21:35 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 30 Apr 2004 15:20:56 GMT, William Morris spoketh

>Tried this question in a couple of other groups, but got no response.
>
>Our production server's firewall is reporting TCP Port Scan from our
>development server three or four times an hour, every day. AVG av and
>Stinger.exe don't show anything in particular. Is there any legitimate
>reason for the activity I'm seeing?

Without knowing what type of servers and which ports are being hit, it
would be merely guesswork...



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Related resources
Anonymous
April 30, 2004 9:05:06 PM

Archived from groups: comp.security.firewalls (More info?)

The servers are both Windows 2000 Small Business Server. As to ports,
BlackIce reports them as

port=80|1388|1397|1440|3925|4413|4466|4657|4833|4995

What I don't understand is why it's happening without human
intervention. What process could be running that makes the development
server do that?


"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:u5v4901olq4fda1m3u2qf3u4uq41sfcho7@4ax.com...
> On Fri, 30 Apr 2004 15:20:56 GMT, William Morris spoketh
>
> >Tried this question in a couple of other groups, but got no response.
> >
> >Our production server's firewall is reporting TCP Port Scan from our
> >development server three or four times an hour, every day. AVG av and
> >Stinger.exe don't show anything in particular. Is there any legitimate
> >reason for the activity I'm seeing?
>
> Without knowing what type of servers and which ports are being hit, it
> would be merely guesswork...
>
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
Anonymous
April 30, 2004 9:05:07 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 30 Apr 2004 17:05:06 GMT, William Morris spoketh

>The servers are both Windows 2000 Small Business Server. As to ports,
>BlackIce reports them as
>
> port=80|1388|1397|1440|3925|4413|4466|4657|4833|4995
>
> What I don't understand is why it's happening without human
>intervention. What process could be running that makes the development
>server do that?
>

Run "tcpview" from www.sysinternals.com on the dev. server to see what
processes are connecting to your production server. There shouldn't be
anything in SBS that causes one server to connect to another on these
ports.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
May 1, 2004 12:45:12 AM

Archived from groups: comp.security.firewalls (More info?)

Well, there you see, is the rub. We own both servers, and neither our
anti-virus nor Stinger reports the presence of anything malicious. Stinger
is the latest version, and the anti-virus db is up to date.

Stumped, looking for direction.

"Robert Delahunt" <neosad1st@charter.net> wrote in message
news:1095a20i6sct9c0@corp.supernews.com...
> William Morris wrote:
>
> > Tried this question in a couple of other groups, but got no response.
> >
> > Our production server's firewall is reporting TCP Port Scan from our
> > development server three or four times an hour, every day. AVG av and
> > Stinger.exe don't show anything in particular. Is there any legitimate
> > reason for the activity I'm seeing?
> >
> >
> > --
> > William Morris
> > Product Development, Seritas LLC
> > Kansas City, Missouri
>
> My opinion, no. There should be none, in theory, unless it's worms maybe.
> Then again, I don't think it's a criminal act, either. But if you don't
> appreciate it, contact their ISP and complain.
>
> --
> I'm all for computer dating, but I wouldn't want one to marry my sister.
>
Anonymous
May 1, 2004 12:45:13 AM

Archived from groups: comp.security.firewalls (More info?)

Well according to http://smb.sygate.com/support/documents/spf/SPF_WebHelp...

they have a software that does the following:

Performing a TCP Scan

The TCP scan examines the 1,024 ports that are mainly reserved for TCP
services, such as instant messaging services, to see if these ports
are open to communication. Open ports can indicate a dangerous
security hole that can be exploited by malicious hackers.

It scans ports on your computer that are connected to devices such as
routers and proxies for users connecting to the Web site through such
a device. The scan takes about 20 minutes to complete and is logged by
the Personal Firewall as a scan event in the Security log

But normal circumstances TCP is just to see what ports are open and
working. Type netstat -a in the command line and u will see active
connections/ports also. But usually like u said before tcp scans are
run to see any vulnerable spots or such.




"William Morris" <seamNOlyneSPAM@hotmail.com> wrote in message news:<sVykc.3390$oP7.1043@newssvr24.news.prodigy.com>...
> Well, there you see, is the rub. We own both servers, and neither our
> anti-virus nor Stinger reports the presence of anything malicious. Stinger
> is the latest version, and the anti-virus db is up to date.
>
> Stumped, looking for direction.
>
> "Robert Delahunt" <neosad1st@charter.net> wrote in message
> news:1095a20i6sct9c0@corp.supernews.com...
> > William Morris wrote:
> >
> > > Tried this question in a couple of other groups, but got no response.
> > >
> > > Our production server's firewall is reporting TCP Port Scan from our
> > > development server three or four times an hour, every day. AVG av and
> > > Stinger.exe don't show anything in particular. Is there any legitimate
> > > reason for the activity I'm seeing?
> > >
> > >
> > > --
> > > William Morris
> > > Product Development, Seritas LLC
> > > Kansas City, Missouri
> >
> > My opinion, no. There should be none, in theory, unless it's worms maybe.
> > Then again, I don't think it's a criminal act, either. But if you don't
> > appreciate it, contact their ISP and complain.
> >
> > --
> > I'm all for computer dating, but I wouldn't want one to marry my sister.
> >
Anonymous
May 1, 2004 5:37:18 AM

Archived from groups: comp.security.firewalls (More info?)

"William Morris" <seamNOlyneSPAM@hotmail.com> wrote in
news:sVykc.3390$oP7.1043@newssvr24.news.prodigy.com:

> Well, there you see, is the rub. We own both servers, and neither our
> anti-virus nor Stinger reports the presence of anything malicious.
> Stinger is the latest version, and the anti-virus db is up to date.
>
> Stumped, looking for direction.
>

IMHO, you cannot depend upon the technology you mention to tell you
anything as the technology can be circumvented and defeated in this area
easily. You have to look at things for yourself in this case. From your
post, you seem to be a program developer and should know about dll's,
ocx's etc, etc that can run in their own processing threads if they can
find a host to latch on to such as svchost.exe, dllhost.exe etc, etc and
communicate out on the network or WAN for that matter.

Tools such as Active Ports will give you a clear picture as to what
programs are connecting and using what ports. Process Explorer will allow
you to look inside a running process on the machine and tell you the
processes/programs and where they are running from that are using the
process such as svchost.exe, by doing a mouse over on the dll(s) etc.

You should be happy BlackIce is setting there on both machines stopping
whatever it is from accessing the other machine, if the machines are
sharing resources on the LAN. :) 

You can use the tools to help determine what's running on the machine.

http://www.windowsecurity.com/articles/Hidden_Backdoors...
_Rootkit_Tools_in_a_Windows_Environment.html

You may also want to enable the NT based O/S Audit Process Tracking which
may also help you pin point it possibly.

BTW, you should know that if scvhost.exe and dllhost.exe are not running
out of *System32* and no other directory, they are Trojans.

Duane :) 
Anonymous
May 1, 2004 2:27:39 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 30 Apr 2004 15:20:56 GMT, "William Morris"
<seamNOlyneSPAM@hotmail.com> wrote:

>Tried this question in a couple of other groups, but got no response.
>
>Our production server's firewall is reporting TCP Port Scan from our
>development server three or four times an hour, every day. AVG av and
>Stinger.exe don't show anything in particular. Is there any legitimate
>reason for the activity I'm seeing?

This is a shot in the dark but your people wouldn't have used network
shares to transfer stuff from one box to the other would they? Often
with windows boxes those shares are kept alive.

I use shares like that locally and have seen incoming connections from
the other box. Not sure about the ports but windows sure keeps those
connections alive. Hard to see them too since those "reconnection"
settings are buried somewhere in the menus.
Anonymous
May 3, 2004 6:33:09 AM

Archived from groups: comp.security.firewalls (More info?)

"William Morris" <seamNOlyneSPAM@hotmail.com> wrote in news:s9ukc.3286
$ms6.363@newssvr24.news.prodigy.com:

> Tried this question in a couple of other groups, but got no response.
>
> Our production server's firewall is reporting TCP Port Scan from our
> development server three or four times an hour, every day. AVG av and
> Stinger.exe don't show anything in particular. Is there any legitimate
> reason for the activity I'm seeing?
>
>
> --
> William Morris
> Product Development, Seritas LLC
> Kansas City, Missouri
>

Your firewall will have some simple mechanism for detecting port scans.
Something like "more than 4 hits within 1 second". This is quite common
activity, eg,
Connecting to a webpage with a few images or ads pulled off another
device, or
A file transfer of several small files, or
MS Outlook when it starts up, or
Several people connecting to a machine in a small space of time.

All these activities can cause the firewall to detect a port scan.
!