Someone's Busy Scanning

#1 (**permalink**) 10-30-2005, 12:44 PM

My firewall is telling me that someone is scanning my UDP ports 1028,
1030, 1031, 1032, and 4297. Can anyone tell me what's so significant
about those ports, and what would happen if they were left unprotected?

Thanks.

Ron

#2 (**permalink**) 10-30-2005, 02:23 PM

On 30 Oct 2005 04:44:12 -0800, Ron wrote:
> My firewall is telling me that someone is scanning my UDP ports 1028,
> 1030, 1031, 1032, and 4297. Can anyone tell me what's so significant
> about those ports,

http://www.dshield.org//port_report.php?port=
http://isc.sans.org/port_details.php?port=
http://lists.thedatalist.com/portlist/lookup.php?port=

> and what would happen if they were left unprotected?

Leaving any inbound attempt port unprotected is asking for any type of
trouble and can change anytime the malware author/script kiddie wants
to change the payload.

#3 (**permalink**) 10-30-2005, 02:36 PM

Ron wrote:
> My firewall is telling me that someone is scanning my UDP ports 1028,
> 1030, 1031, 1032, and 4297. Can anyone tell me what's so significant
> about those ports, and what would happen if they were left unprotected?
>
> Thanks.
>
> Ron
>
http://www.iana.org/assignments/port-numbers is a good place if you want
to see what certain ports are for, but they can be used for almost any
thing,
and that would answer you second qestion too.

If you don´t now what it is block it, and if you now what it is,
block it any way...well mostley.

Anders

#4 (**permalink**) 10-30-2005, 06:30 PM

In the Usenet newsgroup alt.computer.security, in article
<1130676252.667561.176090@g14g2000cwa.googlegroups .com>, Ron wrote:

>My firewall is telling me that someone is scanning my UDP ports 1028,
>1030, 1031, 1032, and 4297.

Sounds like a "personal firewall" trying to impress you with useless
noise. The 102x/103x crap is typically spammers trying to send pop-up
advertisements (windoze Messenger service). They are not scanning, or
trying to connect or indeed do anything harmful other than getting you
to come to their website and use your credit card to buy some useless
crap. As for 4297 - who knows - it's a userland port that could be
just about anything.

Port numbers are not cast in stone. Certain services use what are known
as "well known ports" by default - so that users can find them. But
just because the well known port for DNS is 53, this does not prevent
someone from using port 53 on their computer for ANY service of any kind.
The Internet Police will not come and arrest him for doing so.

>Can anyone tell me what's so significant about those ports,

They are opportunities for spammers to find stupid customers

>and what would happen if they were left unprotected?

You'd see something that looks like

SYSTEM
ALERT
Windows has encountered an Internal Error
Your windows registry is corrupted.
We recommend a complete system scan.

Visit
http://some.wankers.website
To repair now!

that's the contents of a message seen on a packet sniffer I was using to
investigate a bandwidth problem. It's false for several reasons, first
and most obviously because it suggests going to some website nobody had
ever heard of (doing a whois search revealed the domain had been registered
only 23 hours earlier), and second because the sniffer doesn't run windoze.

There are few services using UDP that are needed. DNS queries (used to
translate hostnames to IP addresses and vice-versa) normally run on UDP
(random port on your side, 53 on the server), and that's about it. A
wide open windoze box is spewing from/to 137-139, and should be taken
off line until the user can figure out how to turn that crap off, but
that's pretty much it.

Old guy

#5 (**permalink**) 10-31-2005, 10:15 AM

Thanks, for the information guys; it is much appreciated and it's nice
to know
my firewall is doing it's job. :-)

Ron

#6 (**permalink**) 11-01-2005, 08:06 PM

In the Usenet newsgroup alt.computer.security, in article
<kladm1des9nkflmr6pl63h092pl1417and@4ax.com>, Jim Watt wrote:

>"Ron" <ryon@quik.com> wrote:

>> it's nice to know my firewall is doing it's job. :-)

>Actually is itsn't its getting you worried about a threat that is not
>there;

I think it was originally posted in 'comp.security.firewalls', but

Their main use is telling the ones who use it that some host in Korea or
Kenya attempted to connect to a trojan that they don't have installed.

>unless those ports are open, ie being listened to by a rogue process on
>your computer, the fact that someone is scanning them is pretty much
>immaterial.

Bottom line - did your firewall block this crap? If yes, then end of story.
If no, then disconnect the computer until it can be configured properly, or
return it to the store as being to complicated for you.

Knowing that some host "attacked" you by attempting to connect to an
unopened port is useless. What are you going to do, call the Internet
Police? Do you have the National Missile Launch Codes and are not
afraid to use them?

>What you really need to know is what is or is not running on your
>machine.

What he said!

Old guy