TWW - Network getting slammed with port scans


	User not logged in - login - register

Home

Calendar

Books

School Tool

Photo Gallery

Message Boards

Users

Statistics

Advertise

Site Info

go to bottom

Message Boards » » Network getting slammed with port scans

Page [1]

Specter
All American
6575 Posts
user info
edit post

I was browsing through my home router's device logs and I'm seeing port scans every 2-3 minutes from a whole slew of different IP addresses. I've counted at least 30-something separate domains. My router has a built-in firewall, but is being port scanned this much typical?

[Edited on January 1, 2009 at 2:49 PM. Reason : ]

1/1/2009 2:48:08 PM

cdubya
All American
3046 Posts
user info
edit post

Nah- definitely not the norm. Mind sharing a snippet of the logs?

1/1/2009 3:25:36 PM

evan
All American
27701 Posts
user info
edit post

^

also, do you have a static IP on your WAN interface?

1/1/2009 3:29:16 PM

Master_Yoda
All American
3626 Posts
user info
edit post

Whos your ISP?

If you can, disconnect it overnight. That often will fix stuff like that. Otherwise itll probably continue for a while.

1/1/2009 5:32:00 PM

skokiaan
All American
26447 Posts
user info
edit post

russian or chinese hackers

1/1/2009 5:40:49 PM

Specter
All American
6575 Posts
user info
edit post

I re-installed my router and it stopped for a few hours but started back up again. I'm using dynamic addressing for my WAN and my ISP is earthlink/twc. Here's my recent device log:

Quote :
"
2009/01/02 00:40:23 ** Port Scan ** Port scanning from 72.5.115.2 detected
2009/01/02 00:40:59 ** Port Scan ** Port scanning from 206.16.217.135 detected
2009/01/02 00:41:55 ** Port Scan ** Port scanning from 65.27.82.159 detected
2009/01/02 00:42:56 ** Port Scan ** Port scanning from 64.230.125.210 detected
2009/01/02 00:43:54 ** Port Scan ** Port scanning from 68.112.17.97 detected
2009/01/02 00:45:02 ** Port Scan ** Port scanning from 65.94.80.115 detected
2009/01/02 00:45:55 ** Port Scan ** Port scanning from 66.176.227.202 detected
2009/01/02 00:46:32 ** Port Scan ** Port scanning from 67.87.184.16 detected
2009/01/02 00:47:26 ** Port Scan ** Port scanning from 66.75.78.87 detected
2009/01/02 00:48:06 ** Port Scan ** Port scanning from 67.160.44.199 detected
2009/01/02 00:49:01 ** Port Scan ** Port scanning from 66.128.86.52 detected
2009/01/02 00:51:06 ** Port Scan ** Port scanning from 65.185.156.236 detected
2009/01/02 00:52:06 ** Port Scan ** Port scanning from 65.185.156.236 detected
2009/01/02 00:52:23 ** Port Scan ** Port scanning from 66.181.219.71 detected
2009/01/02 00:52:55 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:52:57 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:53:28 ** Port Scan ** Port scanning from 64.130.165.153 detected
2009/01/02 00:53:39 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:53:55 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:54:09 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:54:32 ** Port Scan ** Port scanning from 209.85.133.127 detected
2009/01/02 00:55:00 ** Port Scan ** Port scanning from 209.85.225.176 detected
2009/01/02 00:55:11 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:55:26 ** Port Scan ** Port scanning from 65.189.174.148 detected
2009/01/02 00:56:12 ** Port Scan ** Port scanning from 98.122.141.64 detected
2009/01/02 00:56:32 ** Port Scan ** Port scanning from 204.13.249.70 detected
2009/01/02 00:56:55 ** Port Scan ** Port scanning from 74.125.45.83 detected
2009/01/02 00:57:01 ** Port Scan ** Port scanning from 74.125.165.211 detected
2009/01/02 00:57:22 ** Port Scan ** Port scanning from 65.27.82.159 detected
2009/01/02 00:58:09 ** Port Scan ** Port scanning from 67.41.144.76 detected
2009/01/02 00:58:55 ** Port Scan ** Port scanning from 64.230.85.174 detected
2009/01/02 00:59:10 ** Port Scan ** Port scanning from 209.85.225.176 detected
2009/01/02 00:59:11 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:59:22 ** Port Scan ** Port scanning from 66.181.219.71 detected
2009/01/02 00:59:56 ** Port Scan ** Port scanning from 97.119.90.183 detected
2009/01/02 01:00:14 ** Port Scan ** Port scanning from 74.125.65.176 detected
2009/01/02 01:00:41 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:00:56 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:04:16 ** Port Scan ** Port scanning from 65.27.82.159 detected
2009/01/02 01:05:08 ** Port Scan ** Port scanning from 64.180.142.71 detected
2009/01/02 01:05:27 ** Port Scan ** Port scanning from 64.180.142.71 detected
2009/01/02 01:05:58 ** Port Scan ** Port scanning from 83.252.247.89 detected
2009/01/02 01:06:14 ** Port Scan ** Port scanning from 74.125.65.176 detected
2009/01/02 01:06:24 ** Port Scan ** Port scanning from 65.75.116.222 detected
2009/01/02 01:06:37 ** Port Scan ** Port scanning from 64.130.165.153 detected
2009/01/02 01:08:13 ** Port Scan ** Port scanning from 74.125.45.19 detected
2009/01/02 01:09:45 ** Port Scan ** Port scanning from 64.231.185.50 detected
2009/01/02 01:10:32 ** Port Scan ** Port scanning from 72.14.209.176 detected
2009/01/02 01:11:46 ** Port Scan ** Port scanning from 66.102.1.113 detected
2009/01/02 01:12:07 ** Port Scan ** Port scanning from 67.205.46.41 detected
2009/01/02 01:12:54 ** Port Scan ** Port scanning from 216.77.41.170 detected
2009/01/02 01:14:02 ** Port Scan ** Port scanning from 152.1.7.203 detected
2009/01/02 01:14:56 ** Port Scan ** Port scanning from 98.122.141.64 detected
2009/01/02 01:15:14 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:16:14 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:16:37 ** Port Scan ** Port scanning from 72.21.211.32 detected
2009/01/02 01:20:10 ** Port Scan ** Port scanning from 65.93.215.65 detected
2009/01/02 01:20:46 ** Port Scan ** Port scanning from 152.1.1.125 detected
2009/01/02 01:21:03 ** Port Scan ** Port scanning from 64.12.90.122 detected
2009/01/02 01:21:30 ** Port Scan ** Port scanning from 87.233.147.140 detected
2009/01/02 01:21:48 ** Port Scan ** Port scanning from 64.94.107.22 detected
2009/01/02 01:22:12 ** Port Scan ** Port scanning from 64.94.107.22 detected
2009/01/02 01:23:01 ** Port Scan ** Port scanning from 64.94.107.22 detected
2009/01/02 01:23:29 ** Port Scan ** Port scanning from 64.233.169.104 detected
2009/01/02 01:23:59 ** Port Scan ** Port scanning from 74.125.45.147 detected
2009/01/02 01:24:17 ** Port Scan ** Port scanning from 66.102.1.113 detected
2009/01/02 01:24:31 ** Port Scan ** Port scanning from 208.80.152.2 detected
2009/01/02 01:24:48 ** Port Scan ** Port scanning from 77.238.187.43 detected
2009/01/02 01:25:04 ** Port Scan ** Port scanning from 99.6.120.87 detected
2009/01/02 01:25:11 ** Port Scan ** Port scanning from 72.32.153.177 detected
2009/01/02 01:25:14 ** Port Scan ** Port scanning from 208.80.152.3 detected
2009/01/02 01:25:29 ** Port Scan ** Port scanning from 208.80.152.3 detected
2009/01/02 01:26:04 ** Port Scan ** Port scanning from 62.16.171.41 detected
2009/01/02 01:26:23 ** Port Scan ** Port scanning from 72.32.153.176 detected
2009/01/02 01:26:29 ** Port Scan ** Port scanning from 64.233.169.104 detected
2009/01/02 01:27:29 ** Port Scan ** Port scanning from 208.80.152.3 detected
2009/01/02 01:28:10 ** Port Scan ** Port scanning from 68.180.154.39 detected
2009/01/02 01:28:29 ** Port Scan ** Port scanning from 76.12.220.174 detected
2009/01/02 01:29:02 ** Port Scan ** Port scanning from 216.73.86.153 detected
2009/01/02 01:34:18 ** Port Scan ** Port scanning from 216.73.86.153 detected
2009/01/02 01:34:51 ** Port Scan ** Port scanning from 63.218.71.19 detected
2009/01/02 01:35:19 ** Port Scan ** Port scanning from 144.198.225.86 detected
2009/01/02 01:36:13 ** Port Scan ** Port scanning from 216.73.86.153 detected
2009/01/02 01:36:46 ** Port Scan ** Port scanning from 144.198.225.86 detected
2009/01/02 01:37:23 ** Port Scan ** Port scanning from 217.43.65.181 detected
2009/01/02 01:37:52 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:38:09 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:38:22 ** Port Scan ** Port scanning from 74.125.165.145 detected
2009/01/02 01:38:22 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:40:04 ** Port Scan ** Port scanning from 216.116.18.32 detected
2009/01/02 01:41:00 ** Port Scan ** Port scanning from 90.202.13.111 detected
2009/01/02 01:50:06 ** Port Scan ** Port scanning from 74.6.104.11 detected
2009/01/02 01:52:35 ** Port Scan ** Port scanning from 74.6.104.11 detected
2009/01/02 01:55:47 ** Port Scan ** Port scanning from 74.125.45.83 detected
2009/01/02 01:57:09 ** Port Scan ** Port scanning from 221.195.73.68 detected
2009/01/02 01:57:24 ** Port Scan ** Port scanning from 98.136.8.11 detected
2009/01/02 01:58:09 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:58:10 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:58:10 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:58:11 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:58:12 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:58:22 ** Port Scan ** Port scanning from 67.201.16.248 detected
2009/01/02 01:59:59 ** Port Scan ** Port scanning from 98.136.8.11 detected
2009/01/02 02:00:06 ** Port Scan ** Port scanning from 98.136.8.11 detected
2009/01/02 02:00:11 ** Port Scan ** Port scanning from 98.136.8.11 detected
2009/01/02 02:04:09 ** Port Scan ** Port scanning from 66.232.149.59 detected
2009/01/02 02:05:02 ** Port Scan ** Port scanning from 66.232.149.59 detected
2009/01/02 02:10:08 ** Port Scan ** Port scanning from 209.17.69.4 detected
2009/01/02 02:11:49 ** Port Scan ** Port scanning from 66.211.160.87 detected
2009/01/02 02:31:37 ** Unauthorized HTTP Access ** <IP/TCP> 67.85.15.11:25954 ->> <<<my IP address>>>:80
2009/01/02 03:05:31 ** Port Scan ** Port scanning from 201.241.147.35 detected
2009/01/02 03:06:33 ** Port Scan ** Port scanning from 86.87.109.34 detected
2009/01/02 03:08:22 ** Port Scan ** Port scanning from 94.192.61.94 detected
2009/01/02 03:16:25 ** Port Scan ** Port scanning from 89.216.150.91 detected
2009/01/02 03:18:28 ** Port Scan ** Port scanning from 81.57.182.168 detected
2009/01/02 03:22:26 ** Port Scan ** Port scanning from 68.44.14.121 detected
2009/01/02 03:24:40 ** Port Scan ** Port scanning from 221.195.73.68 detected
2009/01/02 03:32:20 ** Port Scan ** Port scanning from 68.112.17.97 detected
2009/01/02 03:38:45 ** Port Scan ** Port scanning from 74.125.45.83 detected
2009/01/02 03:42:24 ** Port Scan ** Port scanning from 62.16.171.41 detected
2009/01/02 03:46:44 ** Port Scan ** Port scanning from 74.125.47.127 detected
2009/01/02 03:50:25 ** Port Scan ** Port scanning from 122.154.97.218 detected
2009/01/02 03:56:48 192.168.2.154 logout
2009/01/02 03:56:51 192.168.2.154 login successful
"

note: time is off by an hour.

[Edited on January 2, 2009 at 3:09 AM. Reason : ]

1/2/2009 3:04:23 AM

Specter
All American
6575 Posts
user info
edit post

okay, I just ssh'd into a remote computer and just tried port scanning my own IP with nmap and I'm getting nothing... so can I assume my firewall is blocking outside access to my ports?

1/2/2009 3:19:21 AM

evan
All American
27701 Posts
user info
edit post

Sure, you can assume anything you like. :p

Most likely, the scans are coming from zombies on a botnet that the owner has sic'd on a known block of dynamic IPs owned by a major ISP.

1/2/2009 4:26:41 AM

Aficionado
Suspended
22518 Posts
user info
edit post

thats why i block all of asia and eastern europe

1/2/2009 7:22:16 AM

split
All American
834 Posts
user info
edit post

My guess that it isn't really anything to worry too much about. Looking at the logs, the router doesn't really provide you with any information you can actually use in order to determine what is going on. Take for example the logs for 74.125.67.118:
Quote :
"2009/01/02 00:52:55 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:52:57 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:53:39 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:53:55 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:54:09 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:55:11 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 00:59:11 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:00:41 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:00:56 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:15:14 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:16:14 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:37:52 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:38:09 ** Port Scan ** Port scanning from 74.125.67.118 detected
2009/01/02 01:38:22 ** Port Scan ** Port scanning from 74.125.67.118 detected"

That is a lot of separate port scans from one IP address in 45 minutes (with two being only 2 seconds apart). If you run P2P software, you can see a lot of inbound traffic that *may* make a less than smart router think that it is seeing a port scan. There are a number of other legitimate possibilities, but it is hard to say exactly what is going on without a more detailed log or traffic dump.

1/4/2009 10:36:35 AM

Message Boards » Tech Talk » Network getting slammed with port scans

Page [1]

go to top

Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.