Sonicwall "possible port scan" Help!

Hi all,

Our office has a SonicWall TZ 170 firewall that is setup to send
attempted attacks and regular event logs to my email address.

I routinely receive a dozen or so notices a day that seem relatively
benign (unhandled packets and such). About 5 days ago, I began
receiving emails by the hundreds a day! They are all as follows:

05/21/2007 08:35:28.464 - Probable port scan dropped -
67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN - TCP
scanned port list, 1275, 20329, 16091, 14817, 12963, 1233, 55485,
36531, 53375, 13247

The second IP address listed is our IP address. I don't recognize the
first IP address, but it is always one of two different IP addresses.
The port numbers change every time. Any idea what is causing this and
why it just started recently?

It is entirely possible that some of the employees have installed new
software on their machines, but I am positive that no one has recently
altered the firewall settings (I have the only access, but have not
used it in months).

I'm new to firewall's and servers so please bear with me. Thanks in
advance for the help!

Nate

Re: Sonicwall "possible port scan" Help!

kastnna wrote:
> Hi all,
>
> Our office has a SonicWall TZ 170 firewall that is setup to send
> attempted attacks and regular event logs to my email address.
>
> I routinely receive a dozen or so notices a day that seem relatively
> benign (unhandled packets and such). About 5 days ago, I began
> receiving emails by the hundreds a day! They are all as follows:

finetune what is being mailed to you (e.g.userlogins, system errors...), also I seem to remember that you can set it to
"once a day" as opposed to every incident.

> 05/21/2007 08:35:28.464 - Probable port scan dropped -
> 67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN - TCP
> scanned port list, 1275, 20329, 16091, 14817, 12963, 1233, 55485,
> 36531, 53375, 13247
>
> The second IP address listed is our IP address. I don't recognize the
> first IP address, but it is always one of two different IP addresses.

it's the address of the scanner
> The port numbers change every time. Any idea what is causing this and
> why it just started recently?

it's a port scan and you shouldn't worry about it.
>
> It is entirely possible that some of the employees have installed new
> software on their machines, but I am positive that no one has recently
> altered the firewall settings (I have the only access, but have not
> used it in months).

I doubt your employees have anything to do with it
> I'm new to firewall's and servers so please bear with me. Thanks in
> advance for the help!
if this is your designated job, you should start to get into all these issues - and get your users under control.

> Nate

M

Re: Sonicwall "possible port scan" Help!

On May 21, 10:31 am, kastnna wrote:
> Hi all,
>
> Our office has a SonicWall TZ 170 firewall that is setup to send
> attempted attacks and regular event logs to my email address.
>
> I routinely receive a dozen or so notices a day that seem relatively
> benign (unhandled packets and such). About 5 days ago, I began
> receiving emails by the hundreds a day! They are all as follows:
>
> 05/21/2007 08:35:28.464 - Probable port scan dropped -
> 67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN - TCP
> scanned port list, 1275, 20329, 16091, 14817, 12963, 1233, 55485,
> 36531, 53375, 13247
>
> The second IP address listed is our IP address. I don't recognize the
> first IP address, but it is always one of two different IP addresses.
> The port numbers change every time. Any idea what is causing this and
> why it just started recently?
>
> It is entirely possible that some of the employees have installed new
> software on their machines, but I am positive that no one has recently
> altered the firewall settings (I have the only access, but have not
> used it in months).
>
> I'm new to firewall's and servers so please bear with me. Thanks in
> advance for the help!
>
> Nate

IMO, if you are a network admin, you might want to do some research,
reading and some classes to get enough under your belt so that you're
answering questions here instead of asking them... no offense
meant.... everyone had to start somewhere, right?

At any given time, there are multiple 'scans' going on over the net...
some southeast asia pacific areas are heavily snooping the world,
scanning every IP that they can, and even worse...

I would agree with mak, tailor your logs a bit and you'll probably not
get as much 'noise' as you're getting... btw, you can't do much about
external scans unless they impede your ability to surf or conduct
business....

RedForeman

Re: Sonicwall "possible port scan" Help!

On May 21, 10:31 am, kastnna wrote:
> Hi all,
>
> Our office has a SonicWall TZ 170 firewall that is setup to send
> attempted attacks and regular event logs to my email address.
>
> I routinely receive a dozen or so notices a day that seem relatively
> benign (unhandled packets and such). About 5 days ago, I began
> receiving emails by the hundreds a day! They are all as follows:
>
> 05/21/2007 08:35:28.464 - Probable port scan dropped -
> 67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN - TCP
> scanned port list, 1275, 20329, 16091, 14817, 12963, 1233, 55485,
> 36531, 53375, 13247
>
> The second IP address listed is our IP address. I don't recognize the
> first IP address, but it is always one of two different IP addresses.
> The port numbers change every time. Any idea what is causing this and
> why it just started recently?
>
> It is entirely possible that some of the employees have installed new
> software on their machines, but I am positive that no one has recently
> altered the firewall settings (I have the only access, but have not
> used it in months).
>
> I'm new to firewall's and servers so please bear with me. Thanks in
> advance for the help!
>
> Nate
IMO, if you are a network admin, you might want to do some research,
reading and some classes to get enough under your belt so that you're
answering questions here instead of asking them... no offense
meant.... everyone had to start somewhere, right?

At any given time, there are multiple 'scans' going on over the net...
some southeast asia pacific areas are heavily snooping the world,
scanning every IP that they can, and even worse...

I would agree with mak, tailor your logs a bit and you'll probably not
get as much 'noise' as you're getting... btw, you can't do much about
external scans unless they impede your ability to surf or conduct
business....

RedForeman

Re: Sonicwall "possible port scan" Help!

On 21 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1179757915.060514.276570@r3g2000prh.googlegroups.com>, kastnna wrote:

>Our office has a SonicWall TZ 170 firewall that is setup to send
>attempted attacks and regular event logs to my email address.
>
>I routinely receive a dozen or so notices a day that seem relatively
>benign (unhandled packets and such). About 5 days ago, I began
>receiving emails by the hundreds a day!

Sigh...

>They are all as follows:
>
>05/21/2007 08:35:28.464 - Probable port scan dropped -
^^^^^^^^^^^^^^^^^^^^^^^^^^

The "firewall" worked. Now, why are you wasting time pursuing the
matter? Do you think there is an Internet Police that will go to the
house where the packets came from, and kick the owner into the slammer?

>67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN

67.185.175.xxx is comcast - ARIN says "SPOKANE-7", but an address in
that range looks more like Northeastern Oregon. 70.147.xxx.xxx (your
headers say 70.147.172.151) is a BellSouth address in the Montgomery,
Alabama area. Looks quite normal for windoze zombie box looking for a
playmate. You _could_ complain to abuse@comcast.net, but my experience
is that an auto-ignore-bot will return an acknowledgement of your mail,
and toss it into the bit-bucket. Is there any particular reason you
need to allow connections from a residential host 2000 miles away?

>The second IP address listed is our IP address. I don't recognize the
>first IP address, but it is always one of two different IP addresses.

1118 Hitchhikers guide to the Internet. E. Krol. September 1989.
(Format: TXT=62757 bytes) (Status: INFORMATIONAL)

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)

Two RFCs - the search engine you are posting from should find copies in a
few seconds if you look for 'RFC1118' and 'RFC1180'.

>The port numbers change every time. Any idea what is causing this and
>why it just started recently?

Hard to say on such limited information - may well just be your turn in
the barrel. Most of us don't even bother logging such Internet noise.
It got dropped/blocked - ignore it.

>It is entirely possible that some of the employees have installed new
>software on their machines

And the reason you allow your employees to install unknown software on
company owned computers is what exactly?

>but I am positive that no one has recently altered the firewall
>settings (I have the only access, but have not used it in months).

Someone may have installed some malware, or a VOIP service, or be
surfing pr0n sites (especially if you've given them administrative
rights because it's to hard to configure the computers in a sane
manner otherwise), but the fact that it's a single _remote_ port at
any given scan coming to multiple (seemingly random) local ports
suggests the scans were initiated from the remote site.

>I'm new to firewall's and servers so please bear with me.

If you allow your users to install anything on company systems, and
don't know what a port scan is and why it may occur, you are going
to be having a horrible time playing catch-up. You may wish to check
with your local educational establishments and see if any are offering
continuing education classes in computer networks. Ignore the official
microsoft classes, as much of the material in them are (at the very
least) mis-interpreted, and often flat-out wrong. In spite of the fairy
tales in the microsoft advertisements, they could not care less if you
go out of business because of security lapses on their part, because you
waived _all_ legal rights when you installed their software.

Old guy

Re: Sonicwall "possible port scan" Help!

thanks for the help.