I am getting an alert from my security program that SatGuys 70.85.58.122 is scanning me with the NMap Xmas Scan; what's up?
Internet Security
- Thread starter charper1
- Start date
- Latest activity Latest activity:
- Replies 21
- Views 3K
- Status
Ok I have investigated this a bit. It appears to be something our firewall is doing, not sure WHY it is doing it though, so I am still looking into it.
The good news is its not a hacker or malicious program trying to get access to your machine.
Again still looking into it. Thanks for bringing it to my attention.
The good news is its not a hacker or malicious program trying to get access to your machine.
Again still looking into it. Thanks for bringing it to my attention.
NP! Thanks, I feel a bit better now. Thought you might want a copy of my log entry.
Details: Intrusion: NMap Xmas Scan.
Intruder: www.satelliteguys.us(70.85.58.122).
Risk Level: Medium.
Source IP address: www.satelliteguys.us(70.85.58.122).
Destination IP address: OFFICE(192.168.0.20).
TCP Source Port: http(80).
TCP Destination Port: 4280.
TCP Header Flags: 0x00000829. These TCP Flags are invalid.
Details: Intrusion: NMap Xmas Scan.
Intruder: www.satelliteguys.us(70.85.58.122).
Risk Level: Medium.
Source IP address: www.satelliteguys.us(70.85.58.122).
Destination IP address: OFFICE(192.168.0.20).
TCP Source Port: http(80).
TCP Destination Port: 4280.
TCP Header Flags: 0x00000829. These TCP Flags are invalid.
Do you have a timestamp on this log entry, and is your clock sync'd?charper1 said:
Thanks,
LER
Server Weenie.
I run a clock sync every morning from the worldtimeserver so it should be right on.
8:36:23pm (EST) was the logged time.
8:36:23pm (EST) was the logged time.
I have called in LER as you can see above, so far ouor thinking you got a bad packet as it is not normal to get a nmap scan fromo port 80 which is the http port. 
With your timestamp we can go through the logs and see what if anything it was from the server.
With your timestamp we can go through the logs and see what if anything it was from the server.
Thanks. The only thing I see close to that time in our logs:charper1 said:
and since your address is NAT'd, I can't be sure if it's related. (I doubt it).
Hope this helps some.
LER
I haven't seen it again, so in the words of NASA, "we just have an unexplained anomaly". I guess its no biggie then, just thought you might want to know. Do you want to know if it happens again?
don't know if this will help, but i use norton firewall and system works and have NOT had anything funny.
Same here as well, but I'm stuck behind a hotel NAT, so I don't know whatkorsjs said:
it's dropping/doing for/to me.
Thanks for the confirmation, korsjs.
LER
Sounds like a false alarm Deeann (But I am looking into it)
We are behind Tripping Point servers and firewalls which prevents DOS from getting out and in. (Our host (The Planet) does good with this type of stuff)
Thanks for letting us know.
We are behind Tripping Point servers and firewalls which prevents DOS from getting out and in. (Our host (The Planet) does good with this type of stuff)
Thanks for letting us know.
Everything looks good here. I did a quick scan and found nothing. I am trying to download a demo version of Kerio 4 but its going S L O W, I have only downloaded 146kb of 7.22 MB. So once that finishes (if it finishes ) I will give it a try.
BTW I got this note this morning about our DOS protection, which I don't believe has anything to do with it but just passing it along.
Hello,
On Sunday night, July 24, 2005 The Planet will be conducting site-wide network maintenance at the DLLSTX2 and DLLSTX4 data centers for 4 hours, beginning at 11:59PM CDT (GMT-0500) to upgrade firmware code on The Planet's TippingPoint network anti-intrusion system.
Although the work is not expected to affect network availability, it is possible that latency and packet loss may be experienced for very brief periods of time during the upgrade.
Thank you for hosting with us at The Planet.
The Planet Information Security Team
) I will give it a try. BTW I got this note this morning about our DOS protection, which I don't believe has anything to do with it but just passing it along.
Hello,
On Sunday night, July 24, 2005 The Planet will be conducting site-wide network maintenance at the DLLSTX2 and DLLSTX4 data centers for 4 hours, beginning at 11:59PM CDT (GMT-0500) to upgrade firmware code on The Planet's TippingPoint network anti-intrusion system.
Although the work is not expected to affect network availability, it is possible that latency and packet loss may be experienced for very brief periods of time during the upgrade.
Thank you for hosting with us at The Planet.
The Planet Information Security Team
- Status
