Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Help with odd port scans - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help with odd port scans

I have to admit, I've gotten a little lazy about reading through my firewall logs on my home machine every day, but today, I was looking back through my daily reports for the last 2 weeks and noticed a couple of odd port scans.  I've been getting these scans from multiple IPs (2-4 of each per day) everyday for that period.  I'll put up a netcat listener this evening to see if I can get some packets, but I was wondering if any of our loyal readers had any idea what is going on here?  Based on some of the ports being scanned, I'm guessing they are looking for open proxies to use as relays among other things, but some of those ports are new to me.  Has anyone else seen them or know what they are actually looking for?

    From - 252 packets
       To my.home.machine - 252 packets
          Service: snmp (udp/161) (IPTABLES UDP-IN:) - 36 packets
          Service: 3389 (tcp/3389) (IPTABLES TCP-IN:) - 54 packets
          Service: 5900 (tcp/5900) (IPTABLES TCP-IN:) - 54 packets
          Service: http-alt (tcp/8080) (IPTABLES TCP-IN:) - 54 packets
          Service: 40080 (tcp/40080) (IPTABLES TCP-IN:) - 54 packets

    From - 32 packets
       To my.home.machine - 32 packets
          Service: 73 (tcp/73) (IPTABLES TCP-IN:) - 1 packet
          Service: socks (tcp/1080) (IPTABLES TCP-IN:) - 1 packet
          Service: 2301 (tcp/2301) (IPTABLES TCP-IN:) - 1 packet
          Service: 2479 (tcp/2479) (IPTABLES TCP-IN:) - 2 packets
          Service: 3128 (tcp/3128) (IPTABLES TCP-IN:) - 2 packets
          Service: 3246 (tcp/3246) (IPTABLES TCP-IN:) - 3 packets
          Service: 6588 (tcp/6588) (IPTABLES TCP-IN:) - 1 packet
          Service: 8000 (tcp/8000) (IPTABLES TCP-IN:) - 2 packets
          Service: 8085 (tcp/8085) (IPTABLES TCP-IN:) - 4 packets
          Service: 8090 (tcp/8090) (IPTABLES TCP-IN:) - 2 packets
          Service: 8118 (tcp/8118) (IPTABLES TCP-IN:) - 1 packet
          Service: 9000 (tcp/9000) (IPTABLES TCP-IN:) - 4 packets
          Service: 9090 (tcp/9090) (IPTABLES TCP-IN:) - 4 packets
          Service: 9415 (tcp/9415) (IPTABLES TCP-IN:) - 2 packets
          Service: 27977 (tcp/27977) (IPTABLES TCP-IN:) - 2 packets

Jim Clausing, GSE #26
jclausing --at-- isc [dot] sans (dot) org

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Nov 24th 2010
The 252 packet sample appears to be a search for standard remote access, web, and snmp ports. Normal noise. But was the second scan coming from IPs on a Chinese IP block? I see these port scan pattern all day long on various networks, particularly Comcast broadband networks, usually sourced from China, but occasionally from sites in Europe. Any chance the source port is 12200 or 6000?

57 Posts
looks pretty ordinary as far as scans go - just snooping I'd say.

15 Posts
I see such traffic all the day around.These are port scans from different IP's all around the world.Mainly from China,Brazil and Russia .The source port also include 11000 & 14000.I also see port horizontal & vertical scans on port 1433(SQL) & 10000(Vertias remote backup).The best way is to block these IP's at border router so that they do not even reach the firewall for a period of around 30 days.

14 Posts
Yup, many of the source ports are 12200

423 Posts
ISC Handler
Yeah, I am mostly just wondering what they were looking for on, for example, tcp 73, tcp 2301, or tcp 40080. Are those standard proxy ports? I also thought the SNMP along with the remote access was an odd combination.

423 Posts
ISC Handler
I don't believe they're typically used. If I remember, I've seen 2301 and 40080 in reference to network gaming ports.
1 Posts
Those scans propably looking for open proxies, different servers (tomcat,sql etc. control panel ports), voip and some other stuff like that.
That I see everyday in all my webservers.

Also I check what google said about that 12200 sourceport and found one interesting line from one discussion board:
"I guess it may be possible that someone is using ghostsurf to attempt to use someone else's ghostsurf open proxy installation as part of a multilayer proxy."
So maybe just normal scanning all around.

2 Posts
Source port 12200 is definitely Ghostsurf but seems to have load balancing capabilities too. My firewall was getting pummeled from China on that port...destination ports were almost always the usual remote access ports you showed Jim. Those who say China isn't up to something is seriously nuts.

65 Posts
Agreed. Even though the government of China certainly isn't behind all of it, or probably even much of it, they still run all external traffic through the Great Firewall of China. At a minimum I'm sure they're passively logging all attacks going outbound, logging whether they were successful and building a catalog of vulnerable systems for possible future use.

Just like other governments around the world are doing. :-)
3389 is Windows RDP and 5900 is default for VNC.
Yup, and 3128 is the default for the Squid web proxy

423 Posts
ISC Handler
TCP 73 is used by net remote job service
TCP 2301 is used by HP Compaq remote diagnostic management tool
TCP 40080 is apparently used by Mercury Messenger and webcam

Draw your own conclusions, but IP blocking is relatively ineffective. When you block by IP or even subnet, the attacks/probes move to another source subnet within a matter of hours in most cases. Nor are all sourced from China, I've seen them from Scotland, Gr. Britain, France, Romania, and even the US, however the vast majority (98 percent or better) are sourced from China. But the fact that there are sources outside of China indicates a wider network of attack sources or a tool distributed to multiple parties.


57 Posts
IP blocking is relatively ineffective, I agree. I have stopped attacks against FTP sites by blocking whole countries IP ranges. After reading this I came up with an idea. For home networks, what harm could there be in blocking all countries except for the one you are actually in? How much of your home Internet browsing is global?
It's a concept I've been thinking about for a while. Home firewalls/routers that come locked down forcing the user to open up only what they need. A simple setup question, what country are you in?
Microsoft did a similar thing with their servers a while ago and it did help. There are far less mis-configured IIS servers running today than there used to be.

14 Posts
For a home network you might want to also block all of the fine web hosting firms in the US and offshore. Chances of breaking things - on a home network - by redirecting packets (to your choice of $foo) originating on SRC port 12200 are minimal. If that's something that interests you :)
3 Posts

Sign Up for Free or Log In to start participating in the conversation!