Constant Port scans

Hi, I'm using sygte firewall on a dial-up connection. I'm getting constant port scans on my machine whenever I connect. I contacted the ISP and they told me that it was probably a rountine communication by one of their routers... aha... Eircom Ireland for those of you who were wondering what idiots they are.

I know it ain't one of theirs even if it is a mistaken communication because every tim I connect it's a diff IP address thats scanning me. I backtraced them and they all appear to be local (Irish) addresses.

I'm just curious - is it random hackers trying to find an open port and does anyone else encounter this problem?

Quite possibly they are right, though this is most likely if it is the same IP.



This is possible too.. and yes it happens to everybody who is connected.

There is not much you can do about it. If they dissallow running servers on their IPs (read the fine print in your agreement) then they may be port scanning to find people violating their agreement. On the other hand, it could be someone else (that may or may not be part of their network) probing for vulnerable machines. Since you are using a publicly available IP, anyone in the world who is bored enough can probe your IP for vulnerabilities.

Are these full port scans or certain ports as they may be viruses/trojans (very common)

Just got 3 scans from the same IP - the 3 scans ran on diff ports:
1433, 1025, 6129, 135 and 3410
139, 3410, 5554, 445 and 1433
135, 1025, 445, 6129 and 139

Is there anything I can use to communicate back to the IP's? I've tried IP messaging but they aren't getting through.

These all look like vulnerability scans.
eg:
6129 is a port for DameWare (some software with known vulns).
135 is the entry port for a number of RPC worms like Blaster & Lovesan.
3410 is probably a backdoor called 'OptixPro'
1433 is a MS SQL Server port. Lots of nice security holes there.

Some script kiddie is just scanning you. No big deal.

This activity is probably by bots/worms on compromised machines. Best thing you can do is not worry about it as long as uve secured you computer. The traffic will be coming from all over the place and you can't do a thing (unless you disconnect entirely from the net.)
Now you know why it only takes 4 minutes for a windows computer without a firewall to be infected. Your computer without a firewall would soon be attacked and be used to attack others/send spam.

you mentioned MS SQL 1433 port security holes...
what kind of holes do you know exist and how can I fix it?
is it recommended to run MS SQL server with a different port than the standard 1433?
thanks.

There is no reason to have any database directly accessible via the Internet, so any perimeter firewall should block UDP/TCP 1433. You can change the port, btw, but it should still be hidden behind a firewall.

but what if I want to allow the SQL users access from outside using tools like enterprize manager ?
Am I making it easy for hackers by allowing this option?

Your users should be using some sort of VPN or terminal server (via an encrypted link). I am pretty sure that enterprise manager communication is unencrypted (though I believe the authentication is encrypted), which almost certainly makes it subject to hijacking and it is generally accepted that it is reasonably straitforward to elevate privledges of any SQL account to the equivelent of DBO/SA and from there, through the use of the right stored procedures, full 0wnership of the machine.

It is your network, though.

Wow.. I had forgotten all about this thread.