jefe
Premium
join:2001-05-19
Northport, NY
 ·Verizon FIOS
| What are these rejected probes?
I see a LOT of the probes identified in the clip of WallWatcher above. Some are from IP's local to my ISP. Some are from all over the world.
I've done some searching and can't find a conclusive answer to what specifically is generating these babies. Can anyone shed some light?
Tnx.
--jeff |
|
x539
join:2003-08-23
Oklahoma City, OK | I'd say that Agobot/Gaobot/Phatbot is a likely suspect. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:  | reply to jefe
yea, i see those all day long, worms just making the rounds |
|
jefe
Premium
join:2001-05-19
Northport, NY | What are those ports they're pointing to then? CTX Bridge,Dameware, etc? |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
2 edits | said by jefe  :
What are those ports they're pointing to then? CTX Bridge,Dameware, etc?
Simply ports associated with those items registered by IANA(Internet Assigned Numbers Authority)or applications that ignore the IANA assignment and use that port for their own illegitimate purposes.
Robin Keir's Port List |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to jefe
In addition to Bubba 's useful link, SANS has a nice page where you can see current information on port usage. Here's the url that provides a writeup and some reports on port 3127.
»isc.incidents.org/port_details.php?port=3127
If you type in a port number after the = sign, you'll see the report for that number. OR, use the port field on the page. 
EG
--
Eschew obfuscation |
|
jefe
Premium
join:2001-05-19
Northport, NY
1 edit | I guess I didn't make my question clear guys. I understand what local ports are.
Why I don't understand (I guess) is what that particular worm is trying to do with them. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Well, it's difficult to know exactly what is happening on your particular connection unless you trap the data and analyze it, something that most users don't have the tools and skills to do.
If you have a question on particular pieces of malware, Symantec and others have a great deal of information, including writeups how they work. The FAQ »Security »What are some web based virus scanners and encyclopedias? has a nice collection of encyclopaedias.
One thing for sure though, your firewall is indeed reducing any probes to nothing more than harmless entries in your log. 
EG
--
Eschew obfuscation |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| reply to jefe
said by jefe :
I guess I didn't make my question clear guys. I understand what local ports are.
Why I don't understand (I guess) is what that particular worm is trying to do with them.
The links given are not about local ports persay. For example....Wallwatcher rejected a probe to port 6129 from an IP. The Wallwatcher software knows that according to IANA the legitimate application that uses that port is DameWare and it reports it as such BUT that does not mean that's what application\person is probing that port with. Only by sniffing the packets if one able to check that probe out further. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to jefe
You can see what some of the ports are being used for at »www.LinkLogger.com/commonscans.htm as I post captures for some of the more common attacks.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
jefe
Premium
join:2001-05-19
Northport, NY
·Verizon FIOS
| reply to jefe
Thanks for the replies gents.
Blake...your commonscans site was really what I was looking for. It's all as clear as mud now.
EG....
Yep...I look at those log entries and smirk, and then grimace. I smirk because my firewall is working, and I grimace because I know so many people who don't have any kind of firewall.
And Bubba...
Roger that. I was trying to get a little clearer picture of why those particular ports were being probed. I see it now.
I wish there were some way I could pop an email back to the IP's from where the scans originate saying "Hey...wake up! You're infected! Do something about it!"
--jeff |
|
