Code to detect port scan

Similar Messages

• Detect port scan

  do anyone know how to write a java application that can detect port scan?the situation is like this, i can select the ports for monitoring, and when some one scan my port for vulnerable ports, then the system will alert me about the intrusion!the biggest porblem is how the system will detect the intrusion, when the person must know my ip address and port numbers to connect with my pc, and i dun have a specific port number for them to connect to!
  i really need to see how a sample of code how this is done!thanks!

  Double-posted from http://forum.java.sun.com/thread.jsp?thread=344808&forum=31&message=1423914

• CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

  We have an in-house vulnerability scanner that regularly
  does port scans and we don't want to see events when the source IP is from the vulnerability scanner.
  We tried a network access rule but it dose not work.
  1) Network Shim is enabled
  2) Network shield rule with Port scan detection is enabled.
  3) Global correlation for scans is set to 100 within 60 minutes.
  Basically we want to keep detecting port scans except scans from a specific IP.

  Thanks Jay for your offer. The thing is NACL does not work in 4.0.x
  Here is TAC responce for later versions (4.5.x or 5.x):
  "It is possible to do this by changing the field "Commuincating with host
  addresses" in the network shield rule. There are 2 ways to do this.
  1. Create an exception rule. The exception rule is of type 'Network
  Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to
  enable it. Include the ip address of the port scanner device in
  "Communicating with host addresses".
  or
  2. Modify the original Network Shield Rule (the one with the deny
  action). Next to "Communicating with host addresses", click 'Insert
  Network Address Set', and click 'New'. In the new window,name the
  network address set. Leave the "Address ranges matching" to and
  change "but not:" to the ip address of the port scanner. Then click
  'save'. Make sure that the Network Shield rule now contains your
  Network address set under "Communicating with host addresses".
  We typically recommend using method 1 because it prevents you from
  having to modify the default rule set. But pick the method that works
  best for your configuration."
  I have to find away without upgrading.

• Port Scan

  i keep getting blocked by a firewall on my website hosting company due to Port Scan. i have tried different pcs but same thing, something from btcentralplus.com is port scanning, it even happened while in a hotel using bt as an isp, any ideas why
  root@host21 [~]# grep 86.157.186.xxx /var/log/lfd.log
  Aug 29 11:28:04 host21 lfd[28813]: *Port Scan* detected from 86.157.186.xxx (GB/United Kingdom/host86-157-186-xxx.range86-157.btcentralpl​us.com). 6 hits in the last 20 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]

  Hi paulpa66,
  I know this is an old thread, so I hope you are still interested in this, (if you are still a BT customer!).
  I'm visiting my parents in the UK at the moment and I am having EXACTLY the same issue as you describe, except I have my own dedicated server in a data centre. I'm actually getting locked out of my own server by my firewall because the CSF firewall was detecting port scans from my parent's BT IP address.
  It first happened yesterday and I got my server support people to remove my parents' IP from the block list and whitelist the IP address.
  I was working late tonight and at midnight the BT broadband connection dropped out. I ended up power cycling the BT router and the connection came back up. About 1-2 hours later I got locked out of my own server again! My tech support said it was the same problem - port scans from my parents IP address, which had unfortunately changed, so was not whitelisted.
  Once it's done it's port scanning it seems to be okay, presumably until their IP changes again ...
  This is a real pain!

• I've been blocked because I'm port scanning?!

  Servers from work keep throwing blocks up on me because they said they have detected port scanning coming from my IP. Before I go any futher, please forgive me for not knowing my macbook pro inside out. I've google just about every combination of phrases and keywords that halfway relate to my issue and I'm still coming up blank. I downloaded Little Snitch to see if I had anything suspicious going out, but the only thing I see, and it concerns me, is "mDNSResponder" hitting about every 4 seconds. it doesn't say there are any actual connections, but something is going on. Under connection stats it says: UDP ports dns(53) followed by a long list of high numbered ports (49411 & up). It also has 2 IP address associated with it, but not sure if that has anything to do with it.
  I saw a lot of talk about finding the mdnsresponder.plist, but that file is not on my mbp. I've gone back as far as my time machine allows and don't see that file either. I just reinstalled a fresh OS and I still have this problem.
  Thank you in advance for any help!

  No PC on my network, but I did install Windows 7 a few weeks ago on Parallels 7. It didn't install correctly, so I uninstalled. I haven't attempted since.

• *Port Scan* detected - Blocked by host

  Hi all.
  I'm having almost word for word the same issue as this person a couple of years ago: http://discussions.apple.com/message.jspa?messageID=8648363.
  I am using Cyberduck (but have also used filezilla with the same results) and am trying to download and upload files to my website. My host has blocked my IP a number of times, and has told me that I'm making the server think that I'm port scanning. This is the error that they have given me:
  +DENY xxx.xxx.xxx.xxx *in27m 23slfd – *Port Scan* detected from xxx.xxx.xxx.xxx. 11 hits in the last 263 seconds+
  As per the suggestions in the other thread, I have scanned my computer and checked security etc. Everything appears to be fine. After installing LittleSnitch, I have discovered that my ftp client is attempting to connect to a bundle of different ports. This is a screenshot of what LittleSnitch showed: screenshot. It got up to about 80 different ports before I clicked "allow all" (at this stage, my host had whitelisted my IP to allow me to troubleshoot, but my IP is dynamic and has since changed, so I can no longer test like this).
  On another forum, someone told me to connect using an ACTIVE connection - if I do this, I can download/upload a small amount of files (between 5-20) before it starts trying to connect to ports other than 21. At this stage I have to shut it down as I don't want to be blocked again.
  Any ideas? I thought I had this sorted out, but it turned out my host had whitelisted me (I hadn't requested it at that stage), and now that I have a new IP address, I'm back to square one. This started happening about 5 days ago - I have been uploading and downloading files using Cyberduck for over 5 years now, with no issues. My computer hasn't changed recently, my internet connection hasn't changed recently, Cyberduck hasn't changed recently (although I did update it to the latest version this morning to try and fix the problem to no avail), I have changed hosts, but I have downloaded files since then without issue, it's only recently that things have changed.

  Looks like I can't edit my original question...
  The problem is still happening, I've been doing some testing to narrow it down...
  + it's not just my computer (have also tried from my mums PowerPC and my sisters iMac), although it could be a mac thing (I don't have a windows machine to test from, only windows running on a mac, though I will give that a shot later)
  + it's not my internet connection (although it could be my ISP - I tested at my sisters place, who uses the same ISP as me, am looking for another testing location that has a different ISP)
  + it's not my website (have tried uploading to a completely unrelated website with similar results)
  + it's not cyberduck (have tried with filezilla, similar results, also tried via terminal - I don't know how to upload files, but when I connected, it connected through a different port, a 5 digit number, can't remember what now).
  Not too sure where to go from here...

• Mail or some other software is port scanning

  I've recently updated all of my machines to Yosemite. Ever since then my IP is periodically blocked by my web host (which hosts my website and email). Every time I contact them for support I'm told that my machine is port scanning on port 585 which automatically blocks me. From what they tell me Mac Mail is the culprit. I have found no indication that port 585 is being used. I've even deleted my mail accounts and re-set them up with the settings that the host requested. There are no settings using 585. But again today it has happened again. Does anyone know how Mail could be doing this of if there is another software that could be scanning?

  I think you're being given bogus information, but see below if you want to make sure.
  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a summary of what you need to do, if you choose to proceed:
  ☞ Copy a line of text in this window to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
  5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
  Triple-click anywhere in the line of text below on this page to select it:
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB ' com.adobe.AAM.Updater-1.0 com.adobe.AdobeCreativeCloud com.adobe.CS4ServiceManager com.adobe.CS5ServiceManager com.adobe.fpsaud com.adobe.SwitchBoard com.adobe.SwitchBoard com.apple.aelwriter com.apple.AirPortBaseStationAgent com.apple.FolderActions.enabled com.apple.FolderActions.folders com.apple.FolderActions.folders com.apple.installer.osmessagetracing com.apple.mrt.uiagent com.apple.ReportCrash.Self com.apple.rpmuxd com.apple.SafariNotificationAgent com.apple.usbmuxd com.google.keystone.agent com.google.keystone.daemon com.microsoft.office.licensing.helper com.oracle.java.Helper-Tool com.oracle.java.JavaUpdateHelper com.oracle.java.JavaUpdateHelper ' ' 879294308 461455494 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 3694147963 1417519526 1189540302 1233118628 2456546649 2806998573 2778718105 2636415542 842973933 3301885676 891055588 998894468 695903914 1443423563 4136085286 ' 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<10) print "com.apple.";} ' ' { sub(/ :/,"");print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { split("'"${p[41]}"'",b);split("'"${p[42]}"'",c);for(i in b) print b[i]".plist\t"c[i];if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"cksum "F|getline C;split(C, A);C="checksum "A[1];"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F" ("T", "C")";else F=F" ("C")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' ' s/^.+ |\(.+\)$//g;p ' '/\.(appex|pluginkit)\/Contents\/Info\.plist$/p' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR/d;s/^.+: //p;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' pluginkit scutil dtrace profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$(RefProc): \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|Roame|SMC:|suhel| VALI|ver-r|xpma' -o -o -k Sender fseventsd -k Message Req SL -o -k Sender Req launchd -k Message Req de: " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????|wc -l' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors App\ extensions Lockfiles Memory\ pressure SMC );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};A'$((7+i))'() { v=` eval sudo "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};';done;A9(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2 7 8;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;B1&&D73 19 53 67 55;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 20 52 66 54;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D82 35 49 61 51;D82 11 17 17 20;for i in 0 1;do D82 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A8 18 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;B3 4 0 65;A3 14 6 32 0;B4 0 16 11;A1 26 50 64;B7 16;C3 52;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D73 21 0 32 19;D73 10 42 32 40;D82 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 21 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D83 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 10 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 21 48 49 49;B3 4 22 57;A1 21 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D12 4 51 32 53;D23 22 9 37 7;A9;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
  [Process completed]
  to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
  12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
  Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• I'm getting a port scanning attack from my iPad?

  A while ago, my dad got me an iPad 2, however, he went on vacation shortly after and used it on his vacation.
  I'm not sure if it was also happening before he went on vacation, however, ever since I got it back, I am getting popup notifications from my firewall (ESET Smart Security 5 Firewall) that there is a port scanning attack coming from 192.168.1.7.
  I logged in to my router via 192.168.1.1, and on my connections list it shows my iPad being 192.168.1.7.
  What the heck is going on? Is this a bad setting from my iPad, or is it possible (somehow, I don't know) that there is some sort of virus/bug with my iPad?
  I switched my ESET firewall to interactive mode and tried to connect a few times, and set some exceptions for iTunes connectivity, etc, but when I go back, the port scanning message keeps coming up. It is not constant, however it is in random time frames. Sometimes it'll happen once every 10 minutes, others once every 30.
  What can I do? Should I try resetting everything to default on my iPad? Is this just a random thing that happens because my firewall is detecting a false positive?
  Please help!
  Thanks,
  Kolgera

  It's very possible that either data is being transfered through your router or iPad2 in a non-standard way or some ping requests between the devices has perhaps caused the notification to display. The following ESET Knowledgebase Article should help: http://kb.eset.com/esetkb/SOLN295
  If this doesn't help or you're unable to reach the page, you can put in a support case request with ESET Customer Care by going to http://go.eset.com/us/support/contact

• Port scan confirmed open ports on my Airport

  Hi, I just did a port scan on my out word IP address. This is the add that is on the network side of my AP. I am using an APExtreme Latest version. I thought my settings were secure, but when my portscan showed these open ports I realized it wasn't.
  OPEN:
  53 DNS (good)
  554 rtsp (QTime?)
  5009 (bad?)
  7070 arcp (QtimeStreaming?)
  10000 ndmp (bad?)
  Question how do I secure these specific ports?
  Thanks you!!

  Hi again BD,
  +The Router wouldn't be set to DMZ to the Printer by chance would it?+
  It's not something I would consider doing, or have on my network. Can something like this be logged? (well, that said why leave a log file that would be detectable?) Or is there a test, maybe a command similar to ifconfig or some such debugger?
  +Seems like the Printer must be using Bonjour only to avertize itself.+
  I thought I had disabled Bonjour using a suggested method to make an archive of ARDesktop, trash the app and leave the zip in the CoreServices folder. Maybe, something else is directing it to the outward address?
  +Can't you set the Printers IP to a Static Local IP? in the same range as your Router+
  Well I tried that but the "enter" command remained grayed out in spite of verifying the printer address. I believe AirPortUtility has an automatic function, at least I remember, when I set up the printer a few weeks ago, the process being transparent. It did all of the work for me. Since I started having problems, though, nothing has worked.
  Well, if you have any ideas or you see something out of place let me know.
  Thanks!
  Pat

• Symantec reporting port scan

  I've received a couple of alerts from Symantec anti-virus on a server and client computer saying that it is being port scanned. I was wondering what a network administrator would do about these warnings? Should I just setup a wireshark capture on the computer and see where the scans are coming from or is there a better method to detect devices in your network that are port scanning?
  Thanks for the advice        

  The it reported to port scans?
  1 From the WLC
  1 From an LAP - If the LAP was not associated to the WLC how do you know it was a LAP?
  How often do these alerts trigger?     
  CCNP, CCIP, CCDP, CCNA: Security/Wireless
  Blog: http://ccie-or-null.net/

• Port Scan with Network Utility

  I'm a little confused by the results of a port scan I just completed using Network Utility. With ARD checked in the Sharing Services pane I believe that ports 5900 and 3283 are opened but while the port scan revealed that TCP 5900 was opened there was no mention of 3283. Could this be why I'm having trouble Observing and Controlling a remote machine? I have also checked all Access Privileges for ARD.
  Hoping someone can throw a little light on the subject.

  Thank you JD and Dave for your responses.
  I've moved on a little since my post of a week ago and although I still can't work out why the Network Utility port scan didn't detect 3283 I have been able to connect to and Observe and Control a remote client on my small LAN. I have two machines connected through a Linksys router - one connected with airport and one directly connected with ethernet.
  On the Admin machine (machine A) I have four accounts: New York, LA, Chicago and Miami.
  On the Client machine (machine B) I also have four accounts: London, Paris, Rome and Berlin.
  The main account for machine A has been New York and for machine B has been London. I have been unable to use the Observe and Control feature from New York to London although all other services are available.
  As a test I opened three other accounts on each of the two machines and discovered that I could Observe and Control using any combination of the new accounts but still not the original New York account. I have also connected to machine B using a dns service address so this tells me that port forwarding on the router is configured correctly.
  I believe there is probably something in the configuration or preferences files of the New York account which is preventing me from connecting to any of the other accounts on machine B. The error message I get when trying to Control or Observe is "Connection Failed to Machine B".
  Any thoughts on the matter would be greatly appreciated.

• Issues with McAfee IPS and HP PhotoSmart Premium C309g-m performing port scan

  Trying to run a HP PhotoSmart Premium C309g-m printer wirelessly and connect to a laptop computer with Windows 7 32-bit operating system.  Printer is available for about 3 and a half minutes and then is blocked by McAfee because the printer is trying to perform a UDP port scan.  The IP address of the printer is blocked for 10 minutes and then becomes available again.  After about 3 and a half minutes, the printer IP address is again blocked by McAfee IPS for 10 minutes and the cycle repeats again.  Goes on all day.  Difficult to get any work done.  Anyone have a fix to stop the port scans?  Thanks

  Hello JWB46,
  Welcome to the HP Forums!
  I understand when you scan a document, it takes longer and the background is black with horizontal white lines or a greenish background. I will do my best to assist you! First, I need to find out your operating system on your computer? Windows or Mac?
  How is this printer connected? Wireless or USB?
  Please make sure you have followed this entire HP document on Color or Brightness Level of Scanned Image is Not Correct. I would like to test out the hardware within your printer. Try copying a blank document on the scanner glass. Let me know if you have the same results. I will be looking forward to hearing from you. Have a great night!
  I worked on behalf of HP.

• My MBP is port scanning, and I dont know why!

  Ever since this Tuesday at the office (we're all running macs) the internet keeps going down.
  I called the ISP, they told me that one of the machines looks like it has a virus running, one of them is port scanning- and that overflowed the router and froze it.
  Turns out its my personal MacBook Pro that matches the IP address he gave me. I was FTP'd into a server and downloading a website for backup.
  He said something like ports 4400- 58,000 were being scanned sequentially and that it seemed like there was a virus on the computer, I was shocked- and told him that we were all on macs. Perhaps the FTP client (called "fetch") failed to connect to one port and tried another and another ect. But, the tech guy also said that it wasn't on FTP protocol.
  Today I've been working on securing my machine. I stopped using the Wi-fi, turned on my firewall ( I know, bad idea to not have it on ) and installed ClamXav and Little Snitch.
  Perhaps I have some kind of malware? Is it too late?
  Help!

  Isp's always blame things on the mac when they don't know why something is happening to their network.
  You could launch Activity monitor and look at all the processes that are running. Sort it my cpu cycles. There could be an application stuck in update mode or one trying to phone home..like adobe updater.

• Port Scan is shooting blanks

  I am finding it painful to set up VPN so any help anyone can give would be real generous.
  I have been trying to connect to a VPN to tunnel L2TP via IPsec over port 1701 and PPTP over port 1723 but having no joy at all.
  Macbook (10.5.6) uses mobile broadband USB modem (dynamic IP and telecom APN settings) to access internet. Internet works great, but have been unable to push thru VPN – getting the same error message "Connection terminated by communication device". I've checked firewall settings and it is set to allow all incoming requests. Therefore, there should be no ports blocked.
  However, when I check open ports using Port Scan in Network Utilities using my session IP address the results are empty. All I get is the following:
  Port Scan has started ...
  Port Scanning host: 193.120.116.180
  Port Scan has completed ...
  Why is this not working? I'm confused
  Am I able to check open ports on my Mac using dynamic IP address within active session on my Mac?

  I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
  So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
  Do I run that /var/log/ppp.log in Terminal?

• Is this port scanning?

  Hello all,
  I’m a new Oracle Administrator and I want to ask the following question:
  I have one 10g R2 Database Server (myhost.mydomain) running a DB with SID=DB1 on a Linux Redhat Server.
  There is another 10g R2 Database on a Win2003 server (HOST1) which through a database link is doing specific select on two tables only (I am not responsible for this server).
  Looking the listener.log of my server I saw that every 10 – 20 seconds there are connections on my server and on different ports. Is this something like port scanning?
  A 10 minute sample of my listener.log:
  30-OCT-2010 08:59:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3452)) * establish * DB1 * 0
  30-OCT-2010 08:59:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3454)) * establish * DB1 * 0
  30-OCT-2010 08:59:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3457)) * establish * DB1 * 0
  30-OCT-2010 09:00:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3465)) * establish * DB1 * 0
  30-OCT-2010 09:00:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3469)) * establish * DB1 * 0
  30-OCT-2010 09:00:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3472)) * establish * DB1 * 0
  30-OCT-2010 09:00:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3474)) * establish * DB1 * 0
  30-OCT-2010 09:00:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3483)) * establish * DB1 * 0
  30-OCT-2010 09:01:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3484)) * establish * DB1 * 0
  30-OCT-2010 09:01:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3487)) * establish * DB1 * 0
  30-OCT-2010 09:01:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3488)) * establish * DB1 * 0
  30-OCT-2010 09:01:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3494)) * establish * DB1 * 0
  30-OCT-2010 09:02:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3505)) * establish * DB1 * 0
  30-OCT-2010 09:02:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3506)) * establish * DB1 * 0
  30-OCT-2010 09:02:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3511)) * establish * DB1 * 0
  30-OCT-2010 09:02:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3519)) * establish * DB1 * 0
  30-OCT-2010 09:03:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3520)) * establish * DB1 * 0
  30-OCT-2010 09:03:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3523)) * establish * DB1 * 0
  30-OCT-2010 09:03:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3524)) * establish * DB1 * 0
  30-OCT-2010 09:03:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3528)) * establish * DB1 * 0
  30-OCT-2010 09:03:58 * ping * 0
  30-OCT-2010 09:03:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
  30-OCT-2010 09:04:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52637)) * establish * DB1 * 0
  30-OCT-2010 09:04:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3537)) * establish * DB1 * 0
  30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52639)) * establish * DB1 * 0
  30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52640)) * establish * DB1 * 0
  30-OCT-2010 09:04:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3538)) * establish * DB1 * 0
  30-OCT-2010 09:04:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3542)) * establish * DB1 * 0
  30-OCT-2010 09:04:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3544)) * establish * DB1 * 0
  30-OCT-2010 09:04:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3553)) * establish * DB1 * 0
  30-OCT-2010 09:05:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3554)) * establish * DB1 * 0
  30-OCT-2010 09:05:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3555)) * establish * DB1 * 0
  30-OCT-2010 09:05:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3559)) * establish * DB1 * 0
  30-OCT-2010 09:05:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3560)) * establish * DB1 * 0
  30-OCT-2010 09:05:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3564)) * establish * DB1 * 0
  30-OCT-2010 09:06:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3573)) * establish * DB1 * 0
  30-OCT-2010 09:06:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3574)) * establish * DB1 * 0
  30-OCT-2010 09:06:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3578)) * establish * DB1 * 0
  30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52652)) * establish * DB1 * 0
  30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52653)) * establish * DB1 * 0
  30-OCT-2010 09:06:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3586)) * establish * DB1 * 0
  30-OCT-2010 09:07:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3587)) * establish * DB1 * 0
  30-OCT-2010 09:07:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3590)) * establish * DB1 * 0
  30-OCT-2010 09:07:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3591)) * establish * DB1 * 0
  30-OCT-2010 09:07:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3593)) * establish * DB1 * 0
  30-OCT-2010 09:08:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3604)) * establish * DB1 * 0
  30-OCT-2010 09:08:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3605)) * establish * DB1 * 0
  30-OCT-2010 09:08:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3607)) * establish * DB1 * 0
  30-OCT-2010 09:08:58 * ping * 0
  30-OCT-2010 09:08:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
  30-OCT-2010 09:08:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3617)) * establish * DB1 * 0
  30-OCT-2010 09:09:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3620)) * establish * DB1 * 0
  30-OCT-2010 09:09:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3623)) * establish * DB1 * 0
  30-OCT-2010 09:09:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42950)) * establish * DB1 * 0
  30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42951)) * establish * DB1 * 0
  30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42952)) * establish * DB1 * 0
  30-OCT-2010 09:09:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3624)) * establish * DB1 * 0
  30-OCT-2010 09:09:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3626)) * establish * DB1 * 0
  30-OCT-2010 09:09:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3630)) * establish * DB1 * 0
  30-OCT-2010 09:10:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3637)) * establish * DB1 * 0
  30-OCT-2010 09:10:07 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42957)) * establish * DB1 * 0
  30-OCT-2010 09:10:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3643)) * establish * DB1 * 0
  30-OCT-2010 09:10:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3644)) * establish * DB1 * 0
  30-OCT-2010 09:10:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3646)) * establish * DB1 * 0
  30-OCT-2010 09:10:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3658)) * establish * DB1 * 0

  Is this port scanning?No. Port scanning is sending various crafted tcp packets to a range of ports to determine what, if any, service is using that port as a listening end-point. It is not about sending lots of packets to a single port.
  So if someone port scans your Oracle server, there is an excellent likelihood that you will not even see that. A stealth scan is commonly used - and this will be dealt with at IP stack level and not at the listener level. So the listener will never see the port scan. It will not be recorded in the listener's log.
  What you are seeing are standard client server connections. The server port is 1521. The client port will be a brand new port each time - and a port number from the private/dynamic port range.
  A lot of client-server connections to a server that for example fails, can be a sign of a DoS (<i>Denial of Service</i>) attack. But yours simply seems to be the local Oracle instance checking in with the listener at regular intervals.
  The executable according to the connection string received from the client is <i>d:\oracle\product\10.2.0\db\bin\ORACLE.EXE</i>. This means an Oracle server process. An Oracle instance will continually contact the local listener to inform it of the services that it supports.