Port scanning concern

Tony Arnold tony.arnold at manchester.ac.uk
Sun Nov 25 17:51:41 UTC 2012


Jason,

On 25/11/12 17:06, Jason P. wrote:
> El 25/11/12 17:35, Tony Arnold escribió:
>> Jason,
>>
>> I presume the DST=local_ip shows as a real local IP address behind your
>> router (e.g., 192.168.1.27)? And that you do not have any port
>> forwarding on your router thaty could be relevant?
>>
> 
> You're right. local_ip is a real LAN IP adress. Port forwarding is
> irrelevant here.
> 
>> It looks to me like return traffic from outgoing connections to
>> 88.191.127.22. The outgoing connection would be http so it would connect
>> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
>> a random high number destination port (DST).
>>
> 
> Does it make sense trying to connect in sequence apparently to random
> ports? Other days port numbers are different, but always consecutives.
> Normally 10 in a row or so.

Quite possibly. Each outgoing connection would have a destination port
of 80 and a source port of some high number random port. Consecutive
connections could well use consecutive ports, thus the return traffic
would have consecutive destination ports as you are seeing.

It's also unlike that any malware would be scanning your machine with a
source port of 80! Besides, such scanning should not get through your
router.

It looks to me like UFW has not set up iptables properly.

>> UFW should allow such return traffic if it's set up iptables correctly.
>>
>> Do these log entries correspond to a time of day when your system may be
>> looking for updates?
>>
> 
> Maybe. I should check it. Thanks for the tip.

That would help.

Regards,
Tony.
-- 
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: tony.arnold at manchester.ac.uk




More information about the ubuntu-users mailing list