[Snort-users] (portscan) Open Port:

This is a discussion on [Snort-users] (portscan) Open Port: within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --===============1323837069== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C6D271.53676420" This ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] (portscan) Open Port:

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-07-2006
Mark Rohrbeck
 
Posts: n/a
Default [Snort-users] (portscan) Open Port:
This is a multi-part message in MIME format.

--===============1323837069==
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C6D271.53676420"

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C6D271.53676420
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi all,



I am getting thousands of these portscans (Below are 3 examples) They are
basically all from my exchange server to different IP addresses mainly on
port 25 I have noticed a few of 53 too. They are all going to addresses on
the internet and I am not sure if I should be concerned or not, they are
happening continuously all through the day.



If I can offer any more information please let me know, I would really like
to get to the bottom of this, I have googled away and find similar posts but
no answers.



When I click on the link to Snort it says


GEN:SID

1:27


Message

Sorry, no such sid-gen (1:27)





Any help greatly appreciated.






#624-(3-21094)
<http://localhost/base/base_qry_alert...1094%29&sort_o
rder=time_d>

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port: 25

2006-09-06 06:08:36

192.168.41.129
<http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>

67.15.52.7
<http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32>

Raw IP




#625-(3-21091)
<http://localhost/base/base_qry_alert...1091%29&sort_o
rder=time_d>

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port: 25

2006-09-06 06:08:35

192.168.41.129
<http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>

70.84.128.20
<http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32>

Raw IP




#626-(3-21092)
<http://localhost/base/base_qry_alert...1092%29&sort_o
rder=time_d>

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port: 25

2006-09-06 06:08:35

192.168.41.129
<http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>

67.15.143.14
<http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32>

Raw IP





Thanks


------=_NextPart_000_0001_01C6D271.53676420
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
..shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Arial Rounded MT Bold";
panose-1:2 15 7 4 3 5 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi all,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I am getting thousands of these portscans (Below are =
3
examples) They are basically all from my exchange server to different IP
addresses mainly on port 25 I have noticed a few of 53 too. &nbsp;They =
are all going
to addresses on the internet and I am not sure if I should be concerned =
or not,
they are happening continuously all through the day. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>If I can offer any more information please let me =
know, I would
really like to get to the bottom of this, I have googled away and find =
similar
posts but no answers.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>When I click on the link to Snort it says =
<o:p></o:p></span></font></p>

<table class=3DMsoNormalTable border=3D0 cellspacing=3D1 cellpadding=3D0 =
width=3D"100%"
style=3D'width:100.0%'>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal align=3Dcenter =
style=3D'text-align:center'><b><font size=3D1
color=3D"#333333" face=3DArial><span =
style=3D'font-size:9.0pt;font-family:Arial;
color:#333333;font-weight:bold'>GEN:SID =
<o:p></o:p></span></font></b></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D1 color=3D"#333333" =
face=3DArial><span
style=3D'font-size:8.5pt;font-family:Arial;color:#333333'>1:27 =
<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal align=3Dcenter =
style=3D'text-align:center'><b><font size=3D1
color=3D"#333333" face=3DArial><span =
style=3D'font-size:9.0pt;font-family:Arial;
color:#333333;font-weight:bold'>Message =
<o:p></o:p></span></font></b></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><font size=3D1 color=3D"#333333" =
face=3DArial><span
style=3D'font-size:8.5pt;font-family:Arial;color:#333333'>Sorry, no =
such
sid-gen (1:27) <o:p></o:p></span></font></p>
</td>
</tr>
</table>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Any help greatly =
appreciated.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<table class=3DMsoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 =
width=3D"100%"
bgcolor=3Dwhite style=3D'width:100.0%;background:white'>
<tr>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>&nbsp;<a
=
href=3D"http://localhost/base/base_qry_alert.php?submit=3D%23624-%283-210=
94%29&amp;sort_order=3Dtime_d">#624-(3-21094)</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span
style=3D'font-size:10.0pt'>[<a
href=3D"http://www.snort.org/pub-bin/sigs.cgi?sid=3D27" =
target=3D"_ACID_ALERT_DESC">snort</a>]</span></font>
(portscan) <st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on">Open</st1:PlaceName>
<st1:PlaceType w:st=3D"on">Port</st1:PlaceType></st1:place>: =
25<o:p></o:p></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>2006-09-06 =
06:08:36 <o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D192.168.41.129&am=
p;netmask=3D32">192.168.41.129</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D67.15.52.7&amp;ne=
tmask32">67.15.52.7</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Raw IP =
<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><INPUT =
TYPE=3D"checkbox" NAME=3D"action_chk_lst[1]" =
VALUE=3D"#625-(3-21091)"><span
style=3D'display:none'><INPUT TYPE=3D"hidden" NAME=3D"action_lst[1]" =
VALUE=3D"#625-(3-21091)"></span><o:p></o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_qry_alert.php?submit=3D%23625-%283-210=
91%29&amp;sort_order=3Dtime_d">#625-(3-21091)</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span
style=3D'font-size:10.0pt'>[<a
href=3D"http://www.snort.org/pub-bin/sigs.cgi?sid=3D27" =
target=3D"_ACID_ALERT_DESC">snort</a>]</span></font>
(portscan) <st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on">Open</st1:PlaceName>
<st1:PlaceType w:st=3D"on">Port</st1:PlaceType></st1:place>: =
25<o:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>2006-09-06 =
06:08:35 <o:p></o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D192.168.41.129&am=
p;netmask=3D32">192.168.41.129</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D70.84.128.20&amp;=
netmask32">70.84.128.20</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Raw IP =
<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><INPUT =
TYPE=3D"checkbox" NAME=3D"action_chk_lst[2]" =
VALUE=3D"#626-(3-21092)"><span
style=3D'display:none'><INPUT TYPE=3D"hidden" NAME=3D"action_lst[2]" =
VALUE=3D"#626-(3-21092)"></span><o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_qry_alert.php?submit=3D%23626-%283-210=
92%29&amp;sort_order=3Dtime_d">#626-(3-21092)</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span
style=3D'font-size:10.0pt'>[<a
href=3D"http://www.snort.org/pub-bin/sigs.cgi?sid=3D27" =
target=3D"_ACID_ALERT_DESC">snort</a>]</span></font>
(portscan) <st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on">Open</st1:PlaceName>
<st1:PlaceType w:st=3D"on">Port</st1:PlaceType></st1:place>: =
25<o:p></o:p></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>2006-09-06 =
06:08:35 <o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D192.168.41.129&am=
p;netmask=3D32">192.168.41.129</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a
=
href=3D"http://localhost/base/base_stat_ipaddr.php?ip=3D67.15.143.14&amp;=
netmask32">67.15.143.14</a>
<o:p></o:p></span></font></p>
</td>
<td valign=3Dtop bgcolor=3D"#DDDDDD" =
style=3D'background:#DDDDDD;padding:0in 0in 0in 0in'>
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Raw IP =
<o:p></o:p></span></font></p>
</td>
</tr>
</table>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D2 color=3D"#666699" face=3D"Arial =
Rounded MT Bold"><span
style=3D'font-size:10.0pt;font-family:"Arial Rounded MT =
Bold";color:#666699;
font-weight:bold'>Thanks</span></font></b><o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_0001_01C6D271.53676420--



--===============1323837069==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
--===============1323837069==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============1323837069==--


Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:50 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0