howto Posted April 28, 2010 Share Posted April 28, 2010 This morning my firewall logs showed the following: [28/Apr/2010 06:46:56] PORTSCAN firewall="ns1" hostip="202.170.126.89" hostname="hope.thaivisa.com" log="protocol: TCP, source: 202.170.126.89, destination: 124.121.190.15, ports: 1305, 39478, 57974, 29563, 33170, 23979, 5297, 29618, 13239, 50906, ... Please look into this. Link to comment Share on other sites More sharing options...
george Posted April 28, 2010 Share Posted April 28, 2010 I have forwarded this to our sysadmin. Link to comment Share on other sites More sharing options...
george Posted April 28, 2010 Share Posted April 28, 2010 Looks like DNS traffic. Are you using a third party DNS provider? Link to comment Share on other sites More sharing options...
howto Posted May 2, 2010 Author Share Posted May 2, 2010 George, I understand your inference... I do not have a DMZ, or any external servers. No sir, I do not use a 3'rd party DNS provider. No sir, it is not DNS traffic. I confirmed there is a 202.170.126.89, "hope.thaivisa.com". What is the purpose of this server? DNS servers do NOT do portscans. They resolve queries from clients and answer the question posed. As you know, to portscan is a very big NO NO in the IT world. It is considered an attack upon the client. My Firewall.is a dedicated PC, Heavly modded OS, runs only the firewall software. It is very "locked down". It connects to the WAN via a USB ADSL modem. The firewall has a DNS service, it only accepts queries from a "designated segment" of the internal LAN, It will not reply to queries "outside" the internal LAN. As the request moves form my computer to the firewall, it will be Natted, the entry placed into the NAT table and included in the TCP header then sent on it's way. When the reply comes, the tcp header is decoded, approved if matches the NAT table, and fowarded. It caches positive replies only, not negative replies, as I modified it. If my firewall receives a tcp or udp packet with no match in the NAT table it will refuse to accept it, if multiple requests are recieved to open different ports, it is flagged as a portscan. The senders IP address is in the header, my firewall will resolve it with a RDNS lookup, if successful, it is include in the log entry., if fails only the IP address will be in the log entry. The 1'st portscan occured on [28/Apr/2010 06:46:56] . It was the only one, until this morning [02/May/2010 08:08:27] when I've been hit with 12 scans within 90 minutes. Note my firewall is set to do "minimal" logging. Note in every portscan, "hope.thaivisa.com" is hitting different and random ports. [02/May/2010 08:08:27] PORTSCAN firewall="ns1" hostip="202.170.126.89" hostname="hope.thaivisa.com" log="protocol: TCP, source: 202.170.126.89, destination: 124.121.185.75, ports: 7430, 22806, 46954, 35695, 64625, 13961, 30371, 18878, 6335, 22773, ... [02/May/2010 08:12:51] PORTSCAN firewall="ns1" ports: 33313, 42293, 61035, 14446, 43384, 62374, 53931, 33244, 56802, 17399, ... [02/May/2010 08:15:14] PORTSCAN firewall="ns1" ports: 65024, 13345, 3198, 57997, 38545, 12445, 42434, 49868, 65489, 10732, ... [02/May/2010 08:24:41] PORTSCAN firewall="ns1" ports: 58898, 41753, 44835, 57929, 56922, 2158, 22902, 53110, 21665, 20673, ... [02/May/2010 08:28:12] PORTSCAN firewall="ns1" ports: 1543, 48685, 62007, 29498, 56145, 14947, 2675, 3043, 5362, 62706, ... [02/May/2010 08:37:32] PORTSCAN firewall="ns1" ports: 18453, 55088, 1853, 35903, 7298, 65154, 2692, 8326, 53213, 63709, ... [02/May/2010 08:46:28] PORTSCAN firewall="ns1" ports: 23855, 22583, 53099, 48512, 5018, 2462, 17581, 14523, 5338, 56814, ... [02/May/2010 08:49:35] PORTSCAN firewall="ns1" ports: 33294, 52784, 61545, 46469, 37540, 43972, 34758, 6126, 54779, 33278, ... [02/May/2010 08:58:07] PORTSCAN firewall="ns1" ports: 43276, 31254, 52533, 8822, 1161, 2497, 24273, 57829, 28921, 60926, ... [02/May/2010 09:27:05] PORTSCAN firewall="ns1" ports: 43283, 55837, 18463, 26939, 2655, 44136, 59267, 12936, 14762, 31426, ... [02/May/2010 09:36:39] PORTSCAN firewall="ns1" ports: 55829, 37145, 28241, 52058, 63651, 40100, 53924, 13494, 8127, 15563, ... [02/May/2010 09:45:56] PORTSCAN firewall="ns1" ports: 45844, 10044, 55124, 64092, 20069, 61563, 62615, 18600, 44261, 37876, ... There are two possibilities... 1 - "hope.thaivisa.com" did portscan my system and continues to do so. 2 - "hope.thaivisa.com" is being spoofed. In either case it causes concern for both you and I. Perhaps this should be posted in Internet/Tech forum, and ask some of the other geeks to please monitor their firewall logs. Perhaps a larger problem is present. Link to comment Share on other sites More sharing options...
howto Posted May 2, 2010 Author Share Posted May 2, 2010 Thought it was finished, was wrong... [02/May/2010 11:38:41] PORTSCAN firewall="ns1" hostip="202.170.126.89" hostname="202.170.126.89" log="protocol: TCP, source: 202.170.126.89, destination: 124.121.185.75, ports: 53774, 49441, 19750, 6217, 4437, 62368, 15278, 41158, 29919, 39399, ... [02/May/2010 11:40:56] PORTSCAN firewall="ns1" ports: 7703, 6186, 56650, 20317, 36984, 17806, 48810, 7598, 47815, 56573, ... [02/May/2010 11:46:15] PORTSCAN firewall="ns1 ports: 11033, 58415, 53094, 24170, 63083, 44196, 36784, 32979, 1755, 63479, ... [02/May/2010 11:52:13] PORTSCAN firewall="ns1" ports: 43277, 25877, 53285, 6000, 59270, 34718, 18594, 10705, 20202, 26354, ... [02/May/2010 12:32:36] PORTSCAN firewall="ns1" ports: 48424, 31316, 11356, 35421, 6526, 39568, 35237, 35272, 13297, 6901, ... [02/May/2010 13:11:29] PORTSCAN firewall="ns1" ports: 40717, 3876, 42028, 49233, 63614, 39039, 23433, 46528, 15813, 7416, ... At this point I have totally banned hostip="202.170.126.89" hostname="hope.thaivisa.com" Enough is enough. Link to comment Share on other sites More sharing options...
angiud Posted May 2, 2010 Share Posted May 2, 2010 If TV should do something not perfectly legal, why with Thaivisa name??? Link to comment Share on other sites More sharing options...
george Posted May 2, 2010 Share Posted May 2, 2010 202.170.126.89 is our content delivery server in Bangkok. It communicates with you because you are browsing the forum. Look at the html source for the page we are at now. Link to comment Share on other sites More sharing options...
howto Posted May 2, 2010 Author Share Posted May 2, 2010 202.170.126.89 is our content delivery server in Bangkok. It communicates with you because you are browsing the forum. Look at the html source for the page we are at now. Ok, 202.170.126.89 is a content delivery server in Bangkok. I did examine the html of the page(s). Found nothing to 202.170.126.89. So why am I being portscanned by a content delivery server in Bangkok. Yes, I am making requests (as a guest), seems to static.thaivisa.com. Actually I see static.thaivisa.com, which is "hanging" on it's http reply's. I get the content, but the page only completes 50%. I stated no server should be doing portscans. This began happening very recently. And when it did, I brought it to your attention. The first occurrence was a few days ago, and it was only one "hit". Not today, it continues to occur, the hits have tripled since my previous post. Umm, George, lets get down to the grass roots. If I start the FW, then my station, then go to www.thaivisa. com/forum... why am I being portscanned by a "content server"? Well I can offer a suggestion, perhaps I am being redirected, and the TCP header upon the reply... does not match my NAT table entry. Still, even if it does not, the instance would only happen once... not over, and over, and over. So seems the tcp header coming from the server I asked for it from, does not match the FW nat table of the original request. Hence flagged and deleted. This concept still does not explain the numerous portscans. The portscans come at intervals which do NOT coincide with my browsing. I checked that also. Link to comment Share on other sites More sharing options...
george Posted May 2, 2010 Share Posted May 2, 2010 We use load balance. Nobody is port scanning your computer. Fix your firewall, my friend! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now