Going through the logs on our Firewall today, (running Mandrake Network Security) and found Snort kept throwing up the following:
Jan 21 17:59:00 snort spp_portscan: portscan status from --.---.---.---: 2 connections across 2 hosts: TCP(2), UDP(0)
The ip there was our own, so is spp_portscan scanning a bunch of hosts? Going through more detialed logs of Snort it certainly appeared so:
Jan 21 17:55:14 --.---.---.---:34074 -> 217.75.109.231:80 SYN ******S*
Jan 21 17:55:23 --.---.---.---:34075 -> 204.73.202.34:80 SYN ******S*
Jan 21 17:55:25 --.---.---.---:34076 -> 204.73.202.34:80 SYN ******S*
Jan 21 17:56:02 --.---.---.---:34077 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:03 --.---.---.---:34078 -> 217.75.109.231:80 SYN ******S*
Jan 21 17:56:09 --.---.---.---:34079 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:11 --.---.---.---:34080 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:11 --.---.---.---:34085 -> 62.30.31.74:80 SYN ******S*
Jan 21 17:56:13 --.---.---.---:34086 -> 63.88.212.82:80 SYN ******S*
Jan 21 17:56:13 --.---.---.---:34088 -> 63.88.212.82:80 SYN ******S*
Jan 21 17:59:00 --.---.---.---:34089 -> 205.214.67.168:2095 SYN ******S*
Jan 21 17:59:07 --.---.---.---:34090 -> 205.214.67.168:2095 SYN ******S*
What the hecks going on!?
We've scanned all the computers on the network connected for viruses/trojans that may be doing this, but nothing!
I phoned up our ISP and they didnt seem to know either, only that there may be something lurking somewhere on the network scanning outward.
The log did contain a couple of instances of portscans from a remote location in America though... neither this nor the outbound scans have happened before.
Any help would be greatly appreciated... Cheers!!!