spp_portscan

scammeh^ · 01-22-2004, 01:28 PM

Going through the logs on our Firewall today, (running Mandrake Network Security) and found Snort kept throwing up the following:

Jan 21 17:59:00 snort spp_portscan: portscan status from --.---.---.---: 2 connections across 2 hosts: TCP(2), UDP(0)

The ip there was our own, so is spp_portscan scanning a bunch of hosts? Going through more detialed logs of Snort it certainly appeared so:

Jan 21 17:55:14 --.---.---.---:34074 -> 217.75.109.231:80 SYN ******S*
Jan 21 17:55:23 --.---.---.---:34075 -> 204.73.202.34:80 SYN ******S*
Jan 21 17:55:25 --.---.---.---:34076 -> 204.73.202.34:80 SYN ******S*
Jan 21 17:56:02 --.---.---.---:34077 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:03 --.---.---.---:34078 -> 217.75.109.231:80 SYN ******S*
Jan 21 17:56:09 --.---.---.---:34079 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:11 --.---.---.---:34080 -> 216.239.39.99:80 SYN ******S*
Jan 21 17:56:11 --.---.---.---:34085 -> 62.30.31.74:80 SYN ******S*
Jan 21 17:56:13 --.---.---.---:34086 -> 63.88.212.82:80 SYN ******S*
Jan 21 17:56:13 --.---.---.---:34088 -> 63.88.212.82:80 SYN ******S*
Jan 21 17:59:00 --.---.---.---:34089 -> 205.214.67.168:2095 SYN ******S*
Jan 21 17:59:07 --.---.---.---:34090 -> 205.214.67.168:2095 SYN ******S*

What the hecks going on!?

We've scanned all the computers on the network connected for viruses/trojans that may be doing this, but nothing!

I phoned up our ISP and they didnt seem to know either, only that there may be something lurking somewhere on the network scanning outward.

The log did contain a couple of instances of portscans from a remote location in America though... neither this nor the outbound scans have happened before.

Any help would be greatly appreciated... Cheers!!!