Repeated Port Scan

Fri, 27 Jun 2003 08:48:01 -0700

I've been getting port scans from the same IP address for 3 days. It is not scanning continuously but will usually scan me every 2 hours for a few hours. When I do a whois on the address it doesn't give much information on who to contact about abuse. I'm thinking that the computer scanning me has been compromised and is looking for other computers to infect. The source port is random but the local port is not. It scans to see if ports 1075, 3128, 4588, 6588, and 8080 are open. I ran retina against the machine and its running a default install of Apache without much anything configured. The Sequence # of the packets are always 666666 and all have the SYN flag set. Does anybody know of any worms or Trojans that scan for these ports and have these features? Also, if whois doesn't give much information how can I find out who to contact about this? I've attached some of the packets that I've captured, along with the whois information. Any help is appreciated.

TIA 
***PACKET CAPTURES:

Ethernet II (Packet Length: 60)
        Destination:    
        Source:         00-30-f1-2f-39-14
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 236
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0x38f2 (Correct)
        Source: 66.230.230.115
        Destination: 192.168.254.156
Transmission Control Protocol (TCP)
        Source port: 5502
        Destination port: 4588
        Sequence number: 666666
        Acknowledgment number: 0
        Header length: 20
        Flags: 
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0xa533 (Correct)
        Data (0 Bytes)

Ethernet II (Packet Length: 60)
        Destination:    
        Source:         00-30-f1-2f-39-14
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 236
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0x368e (Correct)
        Source: 66.230.230.115
        Destination: 192.168.254.156
Transmission Control Protocol (TCP)
        Source port: 47839
        Destination port: 6588
        Sequence number: 666666
        Acknowledgment number: 0
        Header length: 20
        Flags: 
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0x7386 (Correct)
        Data (0 Bytes)

Ethernet II (Packet Length: 60)
        Destination:    
        Source:         00-30-f1-2f-39-14
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 236
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0x292d (Correct)
        Source: 66.230.230.115
        Destination: 192.168.254.156
Transmission Control Protocol (TCP)
        Source port: 57845
        Destination port: 8080
        Sequence number: 666666
        Acknowledgment number: 0
        Header length: 20
        Flags: 
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0x8959 (Correct)
        Data (0 Bytes)

Ethernet II (Packet Length: 60)
        Destination:    
        Source:         00-30-f1-2f-39-14
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 236
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0xb5b6 (Correct)
        Source: 66.230.230.115
        Destination: 192.168.254.156
Transmission Control Protocol (TCP)
        Source port: 52025
        Destination port: 1075
        Sequence number: 666666
        Acknowledgment number: 0
        Header length: 20
        Flags: 
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0xa28b (Correct)
        Data (0 Bytes)

Ethernet II (Packet Length: 60)
        Destination:    
        Source:         00-30-f1-2f-39-14
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 236
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0x6a51 (Correct)
        Source: 66.230.230.115
        Destination: 192.168.254.156
Transmission Control Protocol (TCP)
        Source port: 45868
        Destination port: 3128
        Sequence number: 666666
        Acknowledgment number: 0
        Header length: 20
        Flags: 
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0xaa9b (Correct)
        Data (0 Bytes)


***Remote Ports Used:
5502
30238
39092
40703
45845
45868
47839
51801
52025
57845

***Local Ports Used:
1075
3128
4588
6588
8080



***WHOIS:
Neucom, Inc. NEUCOM (NET-66-230-192-0-1) 
                                  66.230.192.0 - 66.230.239.255
NetTuner Corporation (Webmasters.com) WEBMASTERS-20031402 (NET-66-230-230-0-1) 
                                  66.230.230.0 - 66.230.230.255

# ARIN WHOIS database, last updated 2003-06-24 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Reply via email to