Catching Port Scanners, or preventing port scans

Does anyone know of way to catch a person who is "port scanning" or "port sweeping" me?
I have Norton AntiVirus, and it blocks the port scans, and gives me the ip address, but I can't seem to find a way to link this to anyone...
Any suggestions?

It enrages me and I want to find them...and hack them, with something other than a computer...
Move on.
For on, you're not going to stop it. It's a fact of life online and there are far more systems out there doing it than you have time to track (unless you're really, really bored).
Secondly, even if the addresses aren't spoofed you'll find one of two situations in 99.9% of all scans:
Either the source is in some remote country like Romania or China who doesn't give two hoots about your IP, or the source is some poor schmuck whose Windows machine has been hacked and he's part of a botnet or other setup where the real culprit is far removed.
In the former case you're wasting your time. In the latter you're targeting the wrong person and you have no chance of finding the real source.
So consider it noise and live with it. Your life will be much happier.

Similar Messages

  • Repeated port scans?

    Port scans are a way of life so this question is more to seek information than solve a problem. My firewalls have prevented a problem from occurring.
    I get scanned constantly, usually by CHINANET aka China Telecom
    My question is why do they always scan ports 80 7212 8000 8081 1080 and 8080?

    Jim Hall1 wrote:
    I could not agree more about the need for keeping informed. What Windows users have to deal with is truly frightening, I don't know how they begin to keep up.
    Just remember, what's bad for them is good for us. If a hacker is looking to steal someone's ID or credit card number, why should he spend a lot of time trying to hack a Mac when a PC is soooo much easier? It's basically numbers. Willy Sutton, the infamous bank robber of years gone by said, when asked why he robbed banks, "because that's where the money is."
    Of course that's not true these days.
    One day there really will be threats to Macs. But that time has not yet arrived, despite the hoopla.
    Message was edited by: nerowolfe

  • CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

    We have an in-house vulnerability scanner that regularly
    does port scans and we don't want to see events when the source IP is from the vulnerability scanner.
    We tried a network access rule but it dose not work.
    1) Network Shim is enabled
    2) Network shield rule with Port scan detection is enabled.
    3) Global correlation for scans is set to 100 within 60 minutes.
    Basically we want to keep detecting port scans except scans from a specific IP.

    Thanks Jay for your offer. The thing is NACL does not work in 4.0.x
    Here is TAC responce for later versions (4.5.x or 5.x):
    "It is possible to do this by changing the field "Commuincating with host
    addresses" in the network shield rule. There are 2 ways to do this.
    1. Create an exception rule. The exception rule is of type 'Network
    Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to
    enable it. Include the ip address of the port scanner device in
    "Communicating with host addresses".
    or
    2. Modify the original Network Shield Rule (the one with the deny
    action). Next to "Communicating with host addresses", click 'Insert
    Network Address Set', and click 'New'. In the new window,name the
    network address set. Leave the "Address ranges matching" to and
    change "but not:" to the ip address of the port scanner. Then click
    'save'. Make sure that the Network Shield rule now contains your
    Network address set under "Communicating with host addresses".
    We typically recommend using method 1 because it prevents you from
    having to modify the default rule set. But pick the method that works
    best for your configuration."
    I have to find away without upgrading.

  • Port Scan with Network Utility

    I'm a little confused by the results of a port scan I just completed using Network Utility. With ARD checked in the Sharing Services pane I believe that ports 5900 and 3283 are opened but while the port scan revealed that TCP 5900 was opened there was no mention of 3283. Could this be why I'm having trouble Observing and Controlling a remote machine? I have also checked all Access Privileges for ARD.
    Hoping someone can throw a little light on the subject.

    Thank you JD and Dave for your responses.
    I've moved on a little since my post of a week ago and although I still can't work out why the Network Utility port scan didn't detect 3283 I have been able to connect to and Observe and Control a remote client on my small LAN. I have two machines connected through a Linksys router - one connected with airport and one directly connected with ethernet.
    On the Admin machine (machine A) I have four accounts: New York, LA, Chicago and Miami.
    On the Client machine (machine B) I also have four accounts: London, Paris, Rome and Berlin.
    The main account for machine A has been New York and for machine B has been London. I have been unable to use the Observe and Control feature from New York to London although all other services are available.
    As a test I opened three other accounts on each of the two machines and discovered that I could Observe and Control using any combination of the new accounts but still not the original New York account. I have also connected to machine B using a dns service address so this tells me that port forwarding on the router is configured correctly.
    I believe there is probably something in the configuration or preferences files of the New York account which is preventing me from connecting to any of the other accounts on machine B. The error message I get when trying to Control or Observe is "Connection Failed to Machine B".
    Any thoughts on the matter would be greatly appreciated.

  • Issues with McAfee IPS and HP PhotoSmart Premium C309g-m performing port scan

    Trying to run a HP PhotoSmart Premium C309g-m printer wirelessly and connect to a laptop computer with Windows 7 32-bit operating system.  Printer is available for about 3 and a half minutes and then is blocked by McAfee because the printer is trying to perform a UDP port scan.  The IP address of the printer is blocked for 10 minutes and then becomes available again.  After about 3 and a half minutes, the printer IP address is again blocked by McAfee IPS for 10 minutes and the cycle repeats again.  Goes on all day.  Difficult to get any work done.  Anyone have a fix to stop the port scans?  Thanks

    Hello JWB46,
    Welcome to the HP Forums!
    I understand when you scan a document, it takes longer and the background is black with horizontal white lines or a greenish background. I will do my best to assist you! First, I need to find out your operating system on your computer? Windows or Mac?
    How is this printer connected? Wireless or USB?
    Please make sure you have followed this entire HP document on Color or Brightness Level of Scanned Image is Not Correct. I would like to test out the hardware within your printer. Try copying a blank document on the scanner glass. Let me know if you have the same results. I will be looking forward to hearing from you. Have a great night!
    I worked on behalf of HP.

  • My MBP is port scanning, and I dont know why!

    Ever since this Tuesday at the office (we're all running macs) the internet keeps going down.
    I called the ISP, they told me that one of the machines looks like it has a virus running, one of them is port scanning- and that overflowed the router and froze it.
    Turns out its my personal MacBook Pro that matches the IP address he gave me. I was FTP'd into a server and downloading a website for backup.
    He said something like ports 4400- 58,000 were being scanned sequentially and that it seemed like there was a virus on the computer, I was shocked- and told him that we were all on macs. Perhaps the FTP client (called "fetch") failed to connect to one port and tried another and another ect. But, the tech guy also said that it wasn't on FTP protocol.
    Today I've been working on securing my machine. I stopped using the Wi-fi, turned on my firewall ( I know, bad idea to not have it on ) and installed ClamXav and Little Snitch.
    Perhaps I have some kind of malware? Is it too late?
    Help!

    Isp's always blame things on the mac when they don't know why something is happening to their network.
    You could launch Activity monitor and look at all the processes that are running. Sort it my cpu cycles. There could be an application stuck in update mode or one trying to phone home..like adobe updater.

  • Port Scan is shooting blanks

    I am finding it painful to set up VPN so any help anyone can give would be real generous.
    I have been trying to connect to a VPN to tunnel L2TP via IPsec over port 1701 and PPTP over port 1723 but having no joy at all.
    Macbook (10.5.6) uses mobile broadband USB modem (dynamic IP and telecom APN settings) to access internet. Internet works great, but have been unable to push thru VPN – getting the same error message "Connection terminated by communication device". I've checked firewall settings and it is set to allow all incoming requests. Therefore, there should be no ports blocked.
    However, when I check open ports using Port Scan in Network Utilities using my session IP address the results are empty. All I get is the following:
    Port Scan has started ...
    Port Scanning host: 193.120.116.180
    Port Scan has completed ...
    Why is this not working? I'm confused
    Am I able to check open ports on my Mac using dynamic IP address within active session on my Mac?

    I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
    So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
    Do I run that /var/log/ppp.log in Terminal?

  • Is this port scanning?

    Hello all,
    I’m a new Oracle Administrator and I want to ask the following question:
    I have one 10g R2 Database Server (myhost.mydomain) running a DB with SID=DB1 on a Linux Redhat Server.
    There is another 10g R2 Database on a Win2003 server (HOST1) which through a database link is doing specific select on two tables only (I am not responsible for this server).
    Looking the listener.log of my server I saw that every 10 – 20 seconds there are connections on my server and on different ports. Is this something like port scanning?
    A 10 minute sample of my listener.log:
    30-OCT-2010 08:59:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3452)) * establish * DB1 * 0
    30-OCT-2010 08:59:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3454)) * establish * DB1 * 0
    30-OCT-2010 08:59:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3457)) * establish * DB1 * 0
    30-OCT-2010 09:00:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3465)) * establish * DB1 * 0
    30-OCT-2010 09:00:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3469)) * establish * DB1 * 0
    30-OCT-2010 09:00:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3472)) * establish * DB1 * 0
    30-OCT-2010 09:00:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3474)) * establish * DB1 * 0
    30-OCT-2010 09:00:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3483)) * establish * DB1 * 0
    30-OCT-2010 09:01:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3484)) * establish * DB1 * 0
    30-OCT-2010 09:01:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3487)) * establish * DB1 * 0
    30-OCT-2010 09:01:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3488)) * establish * DB1 * 0
    30-OCT-2010 09:01:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3494)) * establish * DB1 * 0
    30-OCT-2010 09:02:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3505)) * establish * DB1 * 0
    30-OCT-2010 09:02:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3506)) * establish * DB1 * 0
    30-OCT-2010 09:02:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3511)) * establish * DB1 * 0
    30-OCT-2010 09:02:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3519)) * establish * DB1 * 0
    30-OCT-2010 09:03:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3520)) * establish * DB1 * 0
    30-OCT-2010 09:03:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3523)) * establish * DB1 * 0
    30-OCT-2010 09:03:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3524)) * establish * DB1 * 0
    30-OCT-2010 09:03:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3528)) * establish * DB1 * 0
    30-OCT-2010 09:03:58 * ping * 0
    30-OCT-2010 09:03:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
    30-OCT-2010 09:04:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52637)) * establish * DB1 * 0
    30-OCT-2010 09:04:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3537)) * establish * DB1 * 0
    30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52639)) * establish * DB1 * 0
    30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52640)) * establish * DB1 * 0
    30-OCT-2010 09:04:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3538)) * establish * DB1 * 0
    30-OCT-2010 09:04:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3542)) * establish * DB1 * 0
    30-OCT-2010 09:04:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3544)) * establish * DB1 * 0
    30-OCT-2010 09:04:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3553)) * establish * DB1 * 0
    30-OCT-2010 09:05:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3554)) * establish * DB1 * 0
    30-OCT-2010 09:05:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3555)) * establish * DB1 * 0
    30-OCT-2010 09:05:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3559)) * establish * DB1 * 0
    30-OCT-2010 09:05:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3560)) * establish * DB1 * 0
    30-OCT-2010 09:05:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3564)) * establish * DB1 * 0
    30-OCT-2010 09:06:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3573)) * establish * DB1 * 0
    30-OCT-2010 09:06:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3574)) * establish * DB1 * 0
    30-OCT-2010 09:06:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3578)) * establish * DB1 * 0
    30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52652)) * establish * DB1 * 0
    30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52653)) * establish * DB1 * 0
    30-OCT-2010 09:06:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3586)) * establish * DB1 * 0
    30-OCT-2010 09:07:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3587)) * establish * DB1 * 0
    30-OCT-2010 09:07:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3590)) * establish * DB1 * 0
    30-OCT-2010 09:07:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3591)) * establish * DB1 * 0
    30-OCT-2010 09:07:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3593)) * establish * DB1 * 0
    30-OCT-2010 09:08:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3604)) * establish * DB1 * 0
    30-OCT-2010 09:08:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3605)) * establish * DB1 * 0
    30-OCT-2010 09:08:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3607)) * establish * DB1 * 0
    30-OCT-2010 09:08:58 * ping * 0
    30-OCT-2010 09:08:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
    30-OCT-2010 09:08:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3617)) * establish * DB1 * 0
    30-OCT-2010 09:09:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3620)) * establish * DB1 * 0
    30-OCT-2010 09:09:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3623)) * establish * DB1 * 0
    30-OCT-2010 09:09:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42950)) * establish * DB1 * 0
    30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42951)) * establish * DB1 * 0
    30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42952)) * establish * DB1 * 0
    30-OCT-2010 09:09:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3624)) * establish * DB1 * 0
    30-OCT-2010 09:09:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3626)) * establish * DB1 * 0
    30-OCT-2010 09:09:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3630)) * establish * DB1 * 0
    30-OCT-2010 09:10:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3637)) * establish * DB1 * 0
    30-OCT-2010 09:10:07 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42957)) * establish * DB1 * 0
    30-OCT-2010 09:10:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3643)) * establish * DB1 * 0
    30-OCT-2010 09:10:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3644)) * establish * DB1 * 0
    30-OCT-2010 09:10:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3646)) * establish * DB1 * 0
    30-OCT-2010 09:10:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3658)) * establish * DB1 * 0

    Is this port scanning?No. Port scanning is sending various crafted tcp packets to a range of ports to determine what, if any, service is using that port as a listening end-point. It is not about sending lots of packets to a single port.
    So if someone port scans your Oracle server, there is an excellent likelihood that you will not even see that. A stealth scan is commonly used - and this will be dealt with at IP stack level and not at the listener level. So the listener will never see the port scan. It will not be recorded in the listener's log.
    What you are seeing are standard client server connections. The server port is 1521. The client port will be a brand new port each time - and a port number from the private/dynamic port range.
    A lot of client-server connections to a server that for example fails, can be a sign of a DoS (<i>Denial of Service</i>) attack. But yours simply seems to be the local Oracle instance checking in with the listener at regular intervals.
    The executable according to the connection string received from the client is <i>d:\oracle\product\10.2.0\db\bin\ORACLE.EXE</i>. This means an Oracle server process. An Oracle instance will continually contact the local listener to inform it of the services that it supports.

  • How to report possible Port scanning and DOS/Fraggle Attack??

    I have been experiencing lag while surfing the internet. One temporary solution was to get a new IP from VZ but this fix was short lived. So I became curios and dtarted to log connection attempts to my router and noticed what I saw resembled port scans and even a Fraggle/DOS attack at times. I am posting my routers log below and would like to kno how to go about reporting this abuse and what I see as malicious activity?
    Mar 29 00:34:16.843: %SEC-6-IPACCESSLOGP: list 115 denied tcp 112.216.99.210(60289) -> .(443), 1 packet
    Mar 29 02:09:24.956: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 1 packet
    Mar 29 02:14:54.973: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 4 packets
    Mar 29 04:46:18.559: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
    Mar 29 04:51:54.975: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
    Mar 29 08:37:38.717: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 1 packet
    Mar 29 08:42:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 4 packets
    Mar 29 11:58:37.525: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
    Mar 29 12:00:33.395: %SEC-6-IPACCESSLOGP: list 115 denied tcp 209.216.8.220(8615) -> .(443), 1 packet
    Mar 29 12:03:55.001: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
    Mar 29 15:09:06.512: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 1 packet
    Mar 29 15:14:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 4 packets
    Mar 29 20:06:44.831: %SEC-6-IPACCESSLOGP: list 115 denied tcp 190.30.227.242(45712) -> .(80), 1 packet
    Mar 29 23:42:44.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 1 packet
    Mar 29 23:47:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 2 packets
    Mar 30 01:19:56.075: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 1 packet
    Mar 30 01:25:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 2 packets
    Mar 30 01:51:48.109: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 1 packet
    Mar 30 01:56:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 2 packets
    Mar 30 02:15:11.578: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 1 packet
    Mar 30 02:20:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 2 packets
    Mar 30 02:49:55.370: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 1 packet
    Mar 30 02:55:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 2 packets
    Mar 30 03:05:05.854: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
    Mar 30 03:10:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
    Mar 30 03:19:07.806: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 1 packet
    Mar 30 03:24:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 2 packets
    Mar 30 03:43:44.223: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 1 packet
    Mar 30 03:48:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 2 packets
    Mar 30 04:11:31.035: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 1 packet
    Mar 30 04:16:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 2 packets
    Mar 30 04:42:01.195: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 1 packet
    Mar 30 04:47:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 2 packets
    Mar 30 05:11:34.130: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 1 packet
    Mar 30 05:16:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 2 packets
    Mar 30 05:41:22.621: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 1 packet
    Mar 30 05:46:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 2 packets
    Mar 30 06:08:02.091: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 1 packet
    Mar 30 06:13:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 2 packets
    Mar 30 06:34:59.547: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 1 packet
    Mar 30 06:40:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 2 packets
    Mar 30 07:03:04.100: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 1 packet
    Mar 30 07:08:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 2 packets
    Mar 30 07:31:13.494: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 1 packet
    Mar 30 07:36:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 2 packets
    Mar 30 08:02:27.161: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 1 packet
    Mar 30 08:07:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 2 packets
    Mar 30 08:33:47.283: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28540) -> .(80), 1 packet
    Mar 30 20:04:23.585: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(22702) -> .4(22), 1 packet
    Mar 30 20:21:10.696: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 1 packet
    Mar 30 20:26:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 2 packets
    Mar 30 20:52:52.313: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 1 packet
    Mar 30 20:57:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 2 packets
    Mar 30 21:30:11.984: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 1 packet
    Mar 30 21:35:54.963: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 2 packets
    Mar 30 21:43:27.829: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
    Mar 30 21:43:27.889: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> . (0/0), 1 packet
    Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.213 -> (0/0), 1 packet
    Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.214 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
    Mar 30 21:48:54.977: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.211 -> (0/0), 1 packet
    Mar 30 22:01:32.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 1 packet
    Mar 30 22:06:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 2 packets
    Mar 30 22:10:18.301: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 1 packet
    Mar 30 22:15:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 2 packets
    Mar 30 23:03:12.464: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
    Mar 30 23:08:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
    Mar 31 00:41:30.769: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(35443) -> .(22), 1 packet
    Mar 31 03:00:11.425: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(58521) -> .(80), 1 packet
    Mar 31 03:00:12.527: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(42339) -> .(23), 1 packet
    Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(41726) -> .(23), 1 packet
    Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(59178) -> .(80), 1 packet
    Mar 31 03:46:26.767: %SEC-6-IPACCESSLOGP: list 115 denied tcp 184.154.4.85(58071) -> .(80), 1 packet
    Mar 31 04:12:08.935: %SEC-6-IPACCESSLOGP: list 115 denied tcp 109.104.74.10(51151) -> .(22), 1 packet
    Mar 31 12:10:19.683: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 1 packet
    Mar 31 12:15:54.960: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 4 packets
    Mar 31 14:23:34.316: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
    Mar 31 14:28:54.962: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
    Mar 31 20:37:34.630: %SEC-6-IPACCESSLOGP: list 115 denied tcp 208.100.1.174(39803) -> .(21), 1 packet
    Mar 31 20:40:49.542: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 1 packet
    Mar 31 20:45:54.958: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 4 packets
    Mar 31 21:18:03.788: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
    Mar 31 21:18:03.832: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> (0/0), 1 packet
    Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 130.81.137.230 -> (0/0), 2 packets
    Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.207 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.208 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
    Mar 31 21:23:54.972: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
    Mar 31 21:57:25.351: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(59472) -> .(22), 1 packet
    Mar 31 22:00:45.852: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet
    Mar 31 22:05:54.959: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet

    You're getting hit from IPs from everywhere, so there's no true person to ask in regards to this. Whoever had your IP last was probably up to no good, or it's possible for some reason your IP was targeted. Might also be possible that whoever had your IP last was running servers. My Dedicated server gets hit with this nonsense all the time. Sometimes it's an issue with someone trying to DoS one of the game servers I run on it. Causes lag for only a few seconds before the hardware firewall in front of the server kicks in and handles the rest. China I actually wound up blocking access to entirely for a month or two since I've hardly seen anything that wasn't a port scan or an SSH/FTP hacking attempt.
    A few of those IPs are owned by Google and Microsoft, which implies there was probably an HTTP server at one point running on the IP you're using now.
    ========
    The first to bring me 1Gbps Fiber for $30/m wins!

  • How do i go to the port scan in yosemite 10.10?

    I need to go to the port scan because of my email settings and i just can't, i have done everything and i can't do it, pls help me
    thx

    http://osxdaily.com/2014/05/20/port-scanner-mac-network-utility/

  • Server Admin says that Contribute CS3 is running port scans

    My website keeps crashing whenever I try to connect through contribute. The host admin says that when I try to connect Contribute is running port scans, this causes their server to block my IP and subsequently crashes my website.
    I connect using SFTP. How can I change the settings to avoid this happening?
    The host says that port 22 should be used.
    Under preferences, FTP proxy, FTP proxy port is listed as 21. Is this the problem?
    Thanks in advance for any help.
    -Lindsey

    Hi Lindsey,
         Can you provide the server log files?

  • Why is my AE port-scanning my Macbook from port 53?

    I got a Macbook Pro for Xmas, so I setup my Airport Extreme Base Station (AE) again. I also have my old iMac connected to the AEB LAN port, although it's asleep most of the time.
    The MB's log shows stealth-mode port-scanning from 10.0.0.1:53 (i.e., the AE) every 4 seconds or so. I assume it's the AEBS itself that's doing this, since the iMac is asleep.
    What's going on?

    I got an answer (sort of) from Apple engineering.
    Port 53 is used for DNS, and it's "normal and harmless" for the AEBS (that older model at least -- don't know about newer ones) to do this. No explanation as to why.

  • Why does port scan show an open port for application I've never had?

    I don't currently and never have used Bacula to backup my Macbook, but for some reason when I do a portscan it often shows a Bacula file daemon being open on port 9102.  It also comes up in Netstat as listening, even with my firewall blocking all unnecessary connections, sharing turned off (all), and an Airport ex in front of it also secured.  I also cannot find any related files etc. on my machine after a thorough search.  Despite my best google and support searches, I couldn't find anyone with the same problem.  Is this reason for concern? Either way why would it be there despite it not being ever used on my Mac?  I am not well versed in networking, only know enough to get myself in trouble, so thanks in advance for any help.

    Ok, I ran a port scan on 9102 and it show it's not responding, but assigned to (bacula-fd)
    So what it appears to be is Bacula ( a legitimate program) uses this port, much like Screen Sharing uses port 5900, not necessarily that it's installed on your machine.
    It's not uncommong to have open ports, it's so if you ever install the program or use a service it can gain access through the Firewall. You can change that of course to close up everything except certain ports for certain programs.
    Now that the firewall is App based, if you don't have the app listed, how do you deny it access?
    Well if the program isn't installed on the machine, it can't respond if the port is open or closed.
    Simply enable your Firewall and allow the programs you do have and want to access your machine to connect in the Advanced settings.
    There is also NoobProof and WaterRoof if you need a GUI/simplicity to enact more complex features of the command line firewall. Block IP addresses and everything. However read up before you mess around, Apple has everythign set up nicely and there are very few successful attacks on Mac's.
    If you don't know what your doing, you can actually do more harm opeing up your machine to poential attack.
    If your more paranoid, then install LittleSnitch, it's a outgoing firewall and notification software with pop-up window to allow/deny on a per program or request basis. You'll be quite shocked how much is going out in the background without your knowledge.

  • Mail or some other software is port scanning

    I've recently updated all of my machines to Yosemite. Ever since then my IP is periodically blocked by my web host (which hosts my website and email). Every time I contact them for support I'm told that my machine is port scanning on port 585 which automatically blocks me. From what they tell me Mac Mail is the culprit. I have found no indication that port 585 is being used. I've even deleted my mail accounts and re-set them up with the settings that the host requested. There are no settings using 585. But again today it has happened again. Does anyone know how Mail could be doing this of if there is another software that could be scanning?

    I think you're being given bogus information, but see below if you want to make sure.
    1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
    Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
    2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
    There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
    3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
    You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
    In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
    You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
    Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
    4. Here's a summary of what you need to do, if you choose to proceed:
    ☞ Copy a line of text in this window to the Clipboard.
    ☞ Paste into the window of another application.
    ☞ Wait for the test to run. It usually takes a few minutes.
    ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
    The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
    5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
    6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
    7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
    Triple-click anywhere in the line of text below on this page to select it:
    PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB ' com.adobe.AAM.Updater-1.0 com.adobe.AdobeCreativeCloud com.adobe.CS4ServiceManager com.adobe.CS5ServiceManager com.adobe.fpsaud com.adobe.SwitchBoard com.adobe.SwitchBoard com.apple.aelwriter com.apple.AirPortBaseStationAgent com.apple.FolderActions.enabled com.apple.FolderActions.folders com.apple.FolderActions.folders com.apple.installer.osmessagetracing com.apple.mrt.uiagent com.apple.ReportCrash.Self com.apple.rpmuxd com.apple.SafariNotificationAgent com.apple.usbmuxd com.google.keystone.agent com.google.keystone.daemon com.microsoft.office.licensing.helper com.oracle.java.Helper-Tool com.oracle.java.JavaUpdateHelper com.oracle.java.JavaUpdateHelper ' ' 879294308 461455494 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 3694147963 1417519526 1189540302 1233118628 2456546649 2806998573 2778718105 2636415542 842973933 3301885676 891055588 998894468 695903914 1443423563 4136085286 ' 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<10) print "com.apple.";} ' ' { sub(/ :/,"");print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { split("'"${p[41]}"'",b);split("'"${p[42]}"'",c);for(i in b) print b[i]".plist\t"c[i];if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"cksum "F|getline C;split(C, A);C="checksum "A[1];"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F" ("T", "C")";else F=F" ("C")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' ' s/^.+ |\(.+\)$//g;p ' '/\.(appex|pluginkit)\/Contents\/Info\.plist$/p' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR/d;s/^.+: //p;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' pluginkit scutil dtrace profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$(RefProc): \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|Roame|SMC:|suhel| VALI|ver-r|xpma' -o -o -k Sender fseventsd -k Message Req SL -o -k Sender Req launchd -k Message Req de: " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????|wc -l' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors App\ extensions Lockfiles Memory\ pressure SMC );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};A'$((7+i))'() { v=` eval sudo "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};';done;A9(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2 7 8;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;B1&&D73 19 53 67 55;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 20 52 66 54;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D82 35 49 61 51;D82 11 17 17 20;for i in 0 1;do D82 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A8 18 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;B3 4 0 65;A3 14 6 32 0;B4 0 16 11;A1 26 50 64;B7 16;C3 52;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D73 21 0 32 19;D73 10 42 32 40;D82 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 21 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D83 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 10 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 21 48 49 49;B3 4 22 57;A1 21 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D12 4 51 32 53;D23 22 9 37 7;A9;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
    Copy the selected text to the Clipboard by pressing the key combination command-C.
    8. Launch the built-in Terminal application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
    Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
    9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
    exec bash
    and press return. Then paste the script again.
    10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
    If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
    11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
    [Process completed]
    to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
    12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
    At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
    If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
    13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
    14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
    Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

  • I'm getting a port scanning attack from my iPad?

    A while ago, my dad got me an iPad 2, however, he went on vacation shortly after and used it on his vacation.
    I'm not sure if it was also happening before he went on vacation, however, ever since I got it back, I am getting popup notifications from my firewall (ESET Smart Security 5 Firewall) that there is a port scanning attack coming from 192.168.1.7.
    I logged in to my router via 192.168.1.1, and on my connections list it shows my iPad being 192.168.1.7.
    What the heck is going on? Is this a bad setting from my iPad, or is it possible (somehow, I don't know) that there is some sort of virus/bug with my iPad?
    I switched my ESET firewall to interactive mode and tried to connect a few times, and set some exceptions for iTunes connectivity, etc, but when I go back, the port scanning message keeps coming up. It is not constant, however it is in random time frames. Sometimes it'll happen once every 10 minutes, others once every 30.
    What can I do? Should I try resetting everything to default on my iPad? Is this just a random thing that happens because my firewall is detecting a false positive?
    Please help!
    Thanks,
    Kolgera

    It's very possible that either data is being transfered through your router or iPad2 in a non-standard way or some ping requests between the devices has perhaps caused the notification to display. The following ESET Knowledgebase Article should help: http://kb.eset.com/esetkb/SOLN295
    If this doesn't help or you're unable to reach the page, you can put in a support case request with ESET Customer Care by going to http://go.eset.com/us/support/contact

Maybe you are looking for