IPS - alarm on specific tcp port scan

Hi there,
My problem is:
I want to create a rule on IPS 5.x, in which a TCP high port rage sweep triggers a low alarm, but if the sweep includes tcp 2400 port, than I receive a high level alarm. But in the same time I don't want any alarms, if theres is a full 3-way handshake to tcp 2400 ports . Is it possible at all?
Thanks,
Aa

The short answer is no, it does not help thanks... Shortly because it was not an answer to my question ;-)
After further investigation I found the so-called META engine, in which there is a "component list", in which you can define more signatures. The alarm is fired if all the selected events match.
Unfortunately the component list doesn't allow you to add a custom signature the the list, so I had to clone the "normal" tcp port sweep engine (to keep teh original), than modify the original 3001 engine to fire on tcp port 2400 mathces. Then I added this signature and TCP high port sweep signature to the component list.
In this way it works. If anyone can suggest an easier way - Welcome! But now I think that can be a useful info for others also.
Bests,
Aa

Similar Messages

  • Gathering network statistics on specific tcp ports

    I have an application on Solaris 10 with one local zone and it listens on a few tcp ports.
    I want to write a script to find out if a network latency occures on one of these ports.
    I dont want to use "time telnet ..." because in that way I'll need to sample many servers from one place.
    netstat -sP tcp also does not fit my needs, because I want to distinguish between tcp ports.
    Thanks a lot

    I have an application on Solaris 10 with one local zone and it listens on a few tcp ports.
    I want to write a script to find out if a network latency occures on one of these ports.
    I dont want to use "time telnet ..." because in that way I'll need to sample many servers from one place.
    netstat -sP tcp also does not fit my needs, because I want to distinguish between tcp ports.
    Thanks a lot

  • TCP ports versus UDP ports

    hi all i'm trying to understand the difference between connecting on TCP versus UDP ports.
    My understanding is that you connect to TCP Ports like this
    new Socket(server, port);
    A TCP port scan would consist of trying to connect to ports 1 to 65536.
    Is that correct ?
    Now sending a message to UDP
    try {
    dsock=new DatagramSocket();
    } catch (SocketException se) {
    response="SocketException: " + se.toString();
    try {
    dsock.send(new DatagramPacket(message.getBytes(),
         message.getBytes().length,
              InetAddress.getByName(server),
              port)
    } catch (UnknownHostException e) {
    response+="UnknownHostException:" + e.toString();
    } catch (IOException e) {
         response+="IOException: " + e.toString();
    Would I also try to send the message on UDP with ports 1-65536
    Stephen

    Do you have
    http://www.kohala.com/start/tcpipiv1.html
    in your library? If not, get it.
    In case you don't have time, however, there are basically five things that direct a packet: the source IP address, the source port, the protocol (e.g. TCP or UDP), the destination IP address, and the destination port.

  • Monitoring TCP ports

    Utilizing a 1605, is there a MIB or another way to show amount of traffic by tcp or udp port on a particular interface?

    Brian
    If you want reporting on specific TCP ports and packet count is sufficient then an alternative to consider would be to create an access list and assign it to the interface (depending on your requirements you might want one access list for inbound and a similar access list for outbound). This access list would not necessarily deny anything. But it would have permit statements for the particular tcp ports that you are interested in and a permit any at the bottom. This way the access list would count packets for the TCP (or UDP) port.
    An example would be this:
    ip access-list extended count_in
    remark count tcp packets inbound
    permit tcp any any eq 23
    permit tcp any any eq 80
    permit tcp any eq 23 any
    permit tcp any eq 80 any
    permit any any
    ip access-list extended count_out
    remark count tcp packets outbound
    permit tcp any any eq 23
    permit tcp any any eq 80
    permit tcp any eq 23 any
    permit tcp any eq 80 any
    permit any any
    interface fastethernet0/0
    ip access-group count_in in
    ip access-group count_out out
    then show access-list count_in and show access-list count_out would show the number of hits for each line and you would have packet counts for your specific TCP ports.
    HTH
    Rick

  • BEFW11S4 UDP AND TCP PORT opening

    How do i open UDP AND TCP ports specifically TCP ports: 80, 6667, 28910, 29900, 29920
    UDP ports: 4321, 27900 Its for a networkable game i need to open these ports to play it.

    Ok But when i try disabling the numbers in the forwarding field i run out of spaces in the field to be able to disable them Is there an advanced firewall settings that i dont know about? I put in all of the range forwarding and put the range forwarding start for example 80 originally (TCP ports: 80, 6667, 28910, 29900, 29920
    UDP ports: 4321, 27900) The ones i try to disable i run out of fields to disable them in the forwarding for example there are 10 slots for disabling and Im trying to disable them on two numbers 192.168.1.101. and 192.168.1.100 So i need to disable them for both ip numbers I got 10 fields to enter it into them and 10 x 2 is more than the numbers..... You get me?? and on top of that i dont know if what i did was enough Linksys doesnt want to help me without paying 30 dollars so im just thinking i should buy a new router....... i mean they charge 39 dollars for a new router and they want me to pay 39 dollars for tech support it just doesnt make any sense........

  • Over and over again: port scan TCP issuing from my mac. How can I stop this

    I have set our router to send me an alarm whenever it is attacked.
    I have noticed before that when I use Google Maps, Google Earth, Google's Picasa my mac attacks other IP's with a port scan TCP.
    As of this morning my mac has startet to attack our router about every minute, and none of the above applications ist running.
    How can I get this to stop?

    I'm experiencing a similar issue with some of the systems I support at a University. One was issuing tons of outbound ICMP requests to address 0.0.0.0 and another was port scanning a (seemingly) random name server. The systems themselves are behind a pretty aggressive firewall, as far as inbound traffic goes. Any thoughts?

  • Issues with McAfee IPS and HP PhotoSmart Premium C309g-m performing port scan

    Trying to run a HP PhotoSmart Premium C309g-m printer wirelessly and connect to a laptop computer with Windows 7 32-bit operating system.  Printer is available for about 3 and a half minutes and then is blocked by McAfee because the printer is trying to perform a UDP port scan.  The IP address of the printer is blocked for 10 minutes and then becomes available again.  After about 3 and a half minutes, the printer IP address is again blocked by McAfee IPS for 10 minutes and the cycle repeats again.  Goes on all day.  Difficult to get any work done.  Anyone have a fix to stop the port scans?  Thanks

    Hello JWB46,
    Welcome to the HP Forums!
    I understand when you scan a document, it takes longer and the background is black with horizontal white lines or a greenish background. I will do my best to assist you! First, I need to find out your operating system on your computer? Windows or Mac?
    How is this printer connected? Wireless or USB?
    Please make sure you have followed this entire HP document on Color or Brightness Level of Scanned Image is Not Correct. I would like to test out the hardware within your printer. Try copying a blank document on the scanner glass. Let me know if you have the same results. I will be looking forward to hearing from you. Have a great night!
    I worked on behalf of HP.

  • CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

    We have an in-house vulnerability scanner that regularly
    does port scans and we don't want to see events when the source IP is from the vulnerability scanner.
    We tried a network access rule but it dose not work.
    1) Network Shim is enabled
    2) Network shield rule with Port scan detection is enabled.
    3) Global correlation for scans is set to 100 within 60 minutes.
    Basically we want to keep detecting port scans except scans from a specific IP.

    Thanks Jay for your offer. The thing is NACL does not work in 4.0.x
    Here is TAC responce for later versions (4.5.x or 5.x):
    "It is possible to do this by changing the field "Commuincating with host
    addresses" in the network shield rule. There are 2 ways to do this.
    1. Create an exception rule. The exception rule is of type 'Network
    Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to
    enable it. Include the ip address of the port scanner device in
    "Communicating with host addresses".
    or
    2. Modify the original Network Shield Rule (the one with the deny
    action). Next to "Communicating with host addresses", click 'Insert
    Network Address Set', and click 'New'. In the new window,name the
    network address set. Leave the "Address ranges matching" to and
    change "but not:" to the ip address of the port scanner. Then click
    'save'. Make sure that the Network Shield rule now contains your
    Network address set under "Communicating with host addresses".
    We typically recommend using method 1 because it prevents you from
    having to modify the default rule set. But pick the method that works
    best for your configuration."
    I have to find away without upgrading.

  • Is this port scanning?

    Hello all,
    I’m a new Oracle Administrator and I want to ask the following question:
    I have one 10g R2 Database Server (myhost.mydomain) running a DB with SID=DB1 on a Linux Redhat Server.
    There is another 10g R2 Database on a Win2003 server (HOST1) which through a database link is doing specific select on two tables only (I am not responsible for this server).
    Looking the listener.log of my server I saw that every 10 – 20 seconds there are connections on my server and on different ports. Is this something like port scanning?
    A 10 minute sample of my listener.log:
    30-OCT-2010 08:59:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3452)) * establish * DB1 * 0
    30-OCT-2010 08:59:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3454)) * establish * DB1 * 0
    30-OCT-2010 08:59:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3457)) * establish * DB1 * 0
    30-OCT-2010 09:00:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3465)) * establish * DB1 * 0
    30-OCT-2010 09:00:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3469)) * establish * DB1 * 0
    30-OCT-2010 09:00:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3472)) * establish * DB1 * 0
    30-OCT-2010 09:00:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3474)) * establish * DB1 * 0
    30-OCT-2010 09:00:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3483)) * establish * DB1 * 0
    30-OCT-2010 09:01:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3484)) * establish * DB1 * 0
    30-OCT-2010 09:01:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3487)) * establish * DB1 * 0
    30-OCT-2010 09:01:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3488)) * establish * DB1 * 0
    30-OCT-2010 09:01:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3494)) * establish * DB1 * 0
    30-OCT-2010 09:02:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3505)) * establish * DB1 * 0
    30-OCT-2010 09:02:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3506)) * establish * DB1 * 0
    30-OCT-2010 09:02:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3511)) * establish * DB1 * 0
    30-OCT-2010 09:02:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3519)) * establish * DB1 * 0
    30-OCT-2010 09:03:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3520)) * establish * DB1 * 0
    30-OCT-2010 09:03:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3523)) * establish * DB1 * 0
    30-OCT-2010 09:03:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3524)) * establish * DB1 * 0
    30-OCT-2010 09:03:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3528)) * establish * DB1 * 0
    30-OCT-2010 09:03:58 * ping * 0
    30-OCT-2010 09:03:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
    30-OCT-2010 09:04:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52637)) * establish * DB1 * 0
    30-OCT-2010 09:04:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3537)) * establish * DB1 * 0
    30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52639)) * establish * DB1 * 0
    30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52640)) * establish * DB1 * 0
    30-OCT-2010 09:04:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3538)) * establish * DB1 * 0
    30-OCT-2010 09:04:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3542)) * establish * DB1 * 0
    30-OCT-2010 09:04:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3544)) * establish * DB1 * 0
    30-OCT-2010 09:04:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3553)) * establish * DB1 * 0
    30-OCT-2010 09:05:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3554)) * establish * DB1 * 0
    30-OCT-2010 09:05:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3555)) * establish * DB1 * 0
    30-OCT-2010 09:05:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3559)) * establish * DB1 * 0
    30-OCT-2010 09:05:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3560)) * establish * DB1 * 0
    30-OCT-2010 09:05:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3564)) * establish * DB1 * 0
    30-OCT-2010 09:06:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3573)) * establish * DB1 * 0
    30-OCT-2010 09:06:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3574)) * establish * DB1 * 0
    30-OCT-2010 09:06:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3578)) * establish * DB1 * 0
    30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52652)) * establish * DB1 * 0
    30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52653)) * establish * DB1 * 0
    30-OCT-2010 09:06:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3586)) * establish * DB1 * 0
    30-OCT-2010 09:07:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3587)) * establish * DB1 * 0
    30-OCT-2010 09:07:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3590)) * establish * DB1 * 0
    30-OCT-2010 09:07:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3591)) * establish * DB1 * 0
    30-OCT-2010 09:07:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3593)) * establish * DB1 * 0
    30-OCT-2010 09:08:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3604)) * establish * DB1 * 0
    30-OCT-2010 09:08:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3605)) * establish * DB1 * 0
    30-OCT-2010 09:08:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3607)) * establish * DB1 * 0
    30-OCT-2010 09:08:58 * ping * 0
    30-OCT-2010 09:08:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
    30-OCT-2010 09:08:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3617)) * establish * DB1 * 0
    30-OCT-2010 09:09:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3620)) * establish * DB1 * 0
    30-OCT-2010 09:09:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3623)) * establish * DB1 * 0
    30-OCT-2010 09:09:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42950)) * establish * DB1 * 0
    30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42951)) * establish * DB1 * 0
    30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42952)) * establish * DB1 * 0
    30-OCT-2010 09:09:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3624)) * establish * DB1 * 0
    30-OCT-2010 09:09:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3626)) * establish * DB1 * 0
    30-OCT-2010 09:09:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3630)) * establish * DB1 * 0
    30-OCT-2010 09:10:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3637)) * establish * DB1 * 0
    30-OCT-2010 09:10:07 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42957)) * establish * DB1 * 0
    30-OCT-2010 09:10:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3643)) * establish * DB1 * 0
    30-OCT-2010 09:10:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3644)) * establish * DB1 * 0
    30-OCT-2010 09:10:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3646)) * establish * DB1 * 0
    30-OCT-2010 09:10:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3658)) * establish * DB1 * 0

    Is this port scanning?No. Port scanning is sending various crafted tcp packets to a range of ports to determine what, if any, service is using that port as a listening end-point. It is not about sending lots of packets to a single port.
    So if someone port scans your Oracle server, there is an excellent likelihood that you will not even see that. A stealth scan is commonly used - and this will be dealt with at IP stack level and not at the listener level. So the listener will never see the port scan. It will not be recorded in the listener's log.
    What you are seeing are standard client server connections. The server port is 1521. The client port will be a brand new port each time - and a port number from the private/dynamic port range.
    A lot of client-server connections to a server that for example fails, can be a sign of a DoS (<i>Denial of Service</i>) attack. But yours simply seems to be the local Oracle instance checking in with the listener at regular intervals.
    The executable according to the connection string received from the client is <i>d:\oracle\product\10.2.0\db\bin\ORACLE.EXE</i>. This means an Oracle server process. An Oracle instance will continually contact the local listener to inform it of the services that it supports.

  • How to report possible Port scanning and DOS/Fraggle Attack??

    I have been experiencing lag while surfing the internet. One temporary solution was to get a new IP from VZ but this fix was short lived. So I became curios and dtarted to log connection attempts to my router and noticed what I saw resembled port scans and even a Fraggle/DOS attack at times. I am posting my routers log below and would like to kno how to go about reporting this abuse and what I see as malicious activity?
    Mar 29 00:34:16.843: %SEC-6-IPACCESSLOGP: list 115 denied tcp 112.216.99.210(60289) -> .(443), 1 packet
    Mar 29 02:09:24.956: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 1 packet
    Mar 29 02:14:54.973: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 4 packets
    Mar 29 04:46:18.559: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
    Mar 29 04:51:54.975: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
    Mar 29 08:37:38.717: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 1 packet
    Mar 29 08:42:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 4 packets
    Mar 29 11:58:37.525: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
    Mar 29 12:00:33.395: %SEC-6-IPACCESSLOGP: list 115 denied tcp 209.216.8.220(8615) -> .(443), 1 packet
    Mar 29 12:03:55.001: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
    Mar 29 15:09:06.512: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 1 packet
    Mar 29 15:14:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 4 packets
    Mar 29 20:06:44.831: %SEC-6-IPACCESSLOGP: list 115 denied tcp 190.30.227.242(45712) -> .(80), 1 packet
    Mar 29 23:42:44.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 1 packet
    Mar 29 23:47:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 2 packets
    Mar 30 01:19:56.075: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 1 packet
    Mar 30 01:25:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 2 packets
    Mar 30 01:51:48.109: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 1 packet
    Mar 30 01:56:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 2 packets
    Mar 30 02:15:11.578: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 1 packet
    Mar 30 02:20:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 2 packets
    Mar 30 02:49:55.370: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 1 packet
    Mar 30 02:55:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 2 packets
    Mar 30 03:05:05.854: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
    Mar 30 03:10:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
    Mar 30 03:19:07.806: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 1 packet
    Mar 30 03:24:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 2 packets
    Mar 30 03:43:44.223: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 1 packet
    Mar 30 03:48:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 2 packets
    Mar 30 04:11:31.035: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 1 packet
    Mar 30 04:16:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 2 packets
    Mar 30 04:42:01.195: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 1 packet
    Mar 30 04:47:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 2 packets
    Mar 30 05:11:34.130: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 1 packet
    Mar 30 05:16:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 2 packets
    Mar 30 05:41:22.621: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 1 packet
    Mar 30 05:46:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 2 packets
    Mar 30 06:08:02.091: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 1 packet
    Mar 30 06:13:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 2 packets
    Mar 30 06:34:59.547: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 1 packet
    Mar 30 06:40:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 2 packets
    Mar 30 07:03:04.100: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 1 packet
    Mar 30 07:08:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 2 packets
    Mar 30 07:31:13.494: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 1 packet
    Mar 30 07:36:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 2 packets
    Mar 30 08:02:27.161: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 1 packet
    Mar 30 08:07:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 2 packets
    Mar 30 08:33:47.283: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28540) -> .(80), 1 packet
    Mar 30 20:04:23.585: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(22702) -> .4(22), 1 packet
    Mar 30 20:21:10.696: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 1 packet
    Mar 30 20:26:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 2 packets
    Mar 30 20:52:52.313: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 1 packet
    Mar 30 20:57:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 2 packets
    Mar 30 21:30:11.984: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 1 packet
    Mar 30 21:35:54.963: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 2 packets
    Mar 30 21:43:27.829: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
    Mar 30 21:43:27.889: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> . (0/0), 1 packet
    Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.213 -> (0/0), 1 packet
    Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.214 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
    Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> (0/0), 1 packet
    Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
    Mar 30 21:48:54.977: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.211 -> (0/0), 1 packet
    Mar 30 22:01:32.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 1 packet
    Mar 30 22:06:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 2 packets
    Mar 30 22:10:18.301: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 1 packet
    Mar 30 22:15:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 2 packets
    Mar 30 23:03:12.464: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
    Mar 30 23:08:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
    Mar 31 00:41:30.769: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(35443) -> .(22), 1 packet
    Mar 31 03:00:11.425: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(58521) -> .(80), 1 packet
    Mar 31 03:00:12.527: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(42339) -> .(23), 1 packet
    Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(41726) -> .(23), 1 packet
    Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(59178) -> .(80), 1 packet
    Mar 31 03:46:26.767: %SEC-6-IPACCESSLOGP: list 115 denied tcp 184.154.4.85(58071) -> .(80), 1 packet
    Mar 31 04:12:08.935: %SEC-6-IPACCESSLOGP: list 115 denied tcp 109.104.74.10(51151) -> .(22), 1 packet
    Mar 31 12:10:19.683: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 1 packet
    Mar 31 12:15:54.960: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 4 packets
    Mar 31 14:23:34.316: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
    Mar 31 14:28:54.962: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
    Mar 31 20:37:34.630: %SEC-6-IPACCESSLOGP: list 115 denied tcp 208.100.1.174(39803) -> .(21), 1 packet
    Mar 31 20:40:49.542: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 1 packet
    Mar 31 20:45:54.958: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 4 packets
    Mar 31 21:18:03.788: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
    Mar 31 21:18:03.832: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> (0/0), 1 packet
    Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 130.81.137.230 -> (0/0), 2 packets
    Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
    Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.207 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.208 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> . (0/0), 1 packet
    Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
    Mar 31 21:23:54.972: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
    Mar 31 21:57:25.351: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(59472) -> .(22), 1 packet
    Mar 31 22:00:45.852: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet
    Mar 31 22:05:54.959: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet

    You're getting hit from IPs from everywhere, so there's no true person to ask in regards to this. Whoever had your IP last was probably up to no good, or it's possible for some reason your IP was targeted. Might also be possible that whoever had your IP last was running servers. My Dedicated server gets hit with this nonsense all the time. Sometimes it's an issue with someone trying to DoS one of the game servers I run on it. Causes lag for only a few seconds before the hardware firewall in front of the server kicks in and handles the rest. China I actually wound up blocking access to entirely for a month or two since I've hardly seen anything that wasn't a port scan or an SSH/FTP hacking attempt.
    A few of those IPs are owned by Google and Microsoft, which implies there was probably an HTTP server at one point running on the IP you're using now.
    ========
    The first to bring me 1Gbps Fiber for $30/m wins!

  • Mail or some other software is port scanning

    I've recently updated all of my machines to Yosemite. Ever since then my IP is periodically blocked by my web host (which hosts my website and email). Every time I contact them for support I'm told that my machine is port scanning on port 585 which automatically blocks me. From what they tell me Mac Mail is the culprit. I have found no indication that port 585 is being used. I've even deleted my mail accounts and re-set them up with the settings that the host requested. There are no settings using 585. But again today it has happened again. Does anyone know how Mail could be doing this of if there is another software that could be scanning?

    I think you're being given bogus information, but see below if you want to make sure.
    1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
    Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
    2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
    There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
    3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
    You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
    In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
    You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
    Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
    4. Here's a summary of what you need to do, if you choose to proceed:
    ☞ Copy a line of text in this window to the Clipboard.
    ☞ Paste into the window of another application.
    ☞ Wait for the test to run. It usually takes a few minutes.
    ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
    The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
    5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
    6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
    7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
    Triple-click anywhere in the line of text below on this page to select it:
    PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB ' com.adobe.AAM.Updater-1.0 com.adobe.AdobeCreativeCloud com.adobe.CS4ServiceManager com.adobe.CS5ServiceManager com.adobe.fpsaud com.adobe.SwitchBoard com.adobe.SwitchBoard com.apple.aelwriter com.apple.AirPortBaseStationAgent com.apple.FolderActions.enabled com.apple.FolderActions.folders com.apple.FolderActions.folders com.apple.installer.osmessagetracing com.apple.mrt.uiagent com.apple.ReportCrash.Self com.apple.rpmuxd com.apple.SafariNotificationAgent com.apple.usbmuxd com.google.keystone.agent com.google.keystone.daemon com.microsoft.office.licensing.helper com.oracle.java.Helper-Tool com.oracle.java.JavaUpdateHelper com.oracle.java.JavaUpdateHelper ' ' 879294308 461455494 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 3694147963 1417519526 1189540302 1233118628 2456546649 2806998573 2778718105 2636415542 842973933 3301885676 891055588 998894468 695903914 1443423563 4136085286 ' 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<10) print "com.apple.";} ' ' { sub(/ :/,"");print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { split("'"${p[41]}"'",b);split("'"${p[42]}"'",c);for(i in b) print b[i]".plist\t"c[i];if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"cksum "F|getline C;split(C, A);C="checksum "A[1];"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F" ("T", "C")";else F=F" ("C")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' ' s/^.+ |\(.+\)$//g;p ' '/\.(appex|pluginkit)\/Contents\/Info\.plist$/p' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR/d;s/^.+: //p;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' pluginkit scutil dtrace profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$(RefProc): \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|Roame|SMC:|suhel| VALI|ver-r|xpma' -o -o -k Sender fseventsd -k Message Req SL -o -k Sender Req launchd -k Message Req de: " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????|wc -l' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors App\ extensions Lockfiles Memory\ pressure SMC );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};A'$((7+i))'() { v=` eval sudo "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};';done;A9(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2 7 8;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;B1&&D73 19 53 67 55;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 20 52 66 54;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D82 35 49 61 51;D82 11 17 17 20;for i in 0 1;do D82 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A8 18 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;B3 4 0 65;A3 14 6 32 0;B4 0 16 11;A1 26 50 64;B7 16;C3 52;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D73 21 0 32 19;D73 10 42 32 40;D82 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 21 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D83 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 10 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 21 48 49 49;B3 4 22 57;A1 21 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D12 4 51 32 53;D23 22 9 37 7;A9;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
    Copy the selected text to the Clipboard by pressing the key combination command-C.
    8. Launch the built-in Terminal application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
    Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
    9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
    exec bash
    and press return. Then paste the script again.
    10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
    If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
    11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
    [Process completed]
    to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
    12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
    At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
    If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
    13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
    14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
    Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

  • Crashing cFP with http port scan?

    cFP-2010 running 6.1 RT, embedded application communicating via vi server to host #1. Embedded webserver is enabled but serving (properly) only default pages.
    Scan of port 80 causes cFP module to stop responding to port 3363 requests and crash. Seems to reboot spontaneously about half the time, other times it locks up with the red status led blinking 18 times then pausing.
    Port scan is performed from host #2 using nmap 3.50. Command is:
    nmap -A -p 80 192.168.7.24 -v
    The specific request that is causing the problem appears to be 'OPTIONS / HTTP/1.0'. The response generated is 'HTTP/1.0 501 Service Temporarily Overloaded'. No 3363 requests are responded to after this and the embedded application stops.
    Enabling webserv
    er log did not make any difference and nothing was recorded in the log. Adding a delay to the scan did not make a difference.
    Any thoughts or suggestions? We anticipate using the embedded web server so turning it off isn't really an option. Thanks.
    Matt

    >Is your compact FieldPoint system on your local subnet, or is it on a different layer of your network?
    Do you see the same issue when it's on your subnet?
    cFP is on the local subnet; haven't tried a different network.
    >Can you verify that your RT Options are set properly for the webserver? While targeted to your FieldPoint system, go to Tools->RT Target Options and then browse through each Webserver configuration area, checking that your VI is visible and that your computer has network access to your controller.
    I'm not actually browsing to any .vis yet. We're using just the default 'Fieldpoint Embedded Webserver' page that shows the IP, mac, S/N, etc. Requests for the main page and subsequent links all work properly. There are no
    restrictions on access for either the webserver or tcp.
    >If you can verify that the webserver is configured properly, let's try to narrow down whether the problem is due to an issue with the network or if it's the software on the controller.
    >Please post a reply if the problem still exists.
    Thanks for your help.
    Matt

  • Leopard Holding TCP port 88/kerberos-sec open, why?

    I port scanned my computer and leopard is leaving kerberos open on tcp port 88. How do I close this port? Is this normal operation?
    Any ideas?
    Thank you!

    yeah... i know what the ports are and what services run on them.
    in addition to being listed in the actual port scan... i already knew what they were anyway.
    kerberos is an authentication system... it is certainly not limited to file sharing. but now that AFP is off i will see if the kerberos port also closes. i am thinking it will stay open for use with ARD.
    as mentioned... no FTP server (or FTP program in general. nor on in the 'File Sharing' section.) is running and none are listed in the firewall settings as allowed. my second posts shows that there is nothing running anything on port 21 from netstat either.
    same deal with RTSP. no QTSS running nor anything else that would use it.
    yet they still would show up in a port scan. and running ftp via the terminal gave me a "Connected to xxx.xxx.xxx.xxx" but nothing actually happens beyond that.
    in both those instances (FTP / RTSP) they are not showing in the netstat list either.
    i have used both handmade ipfw and WaterRoof and NoobProof on other machines. so i am familiar with them already.
    i am specifically wondering why port 21 (and 554) could be showing as open in a port scan when no services are using them and they are not even showing up in netstat.
    it is no longer allowing me to connect to 21 via the command line (times out now vs. saying 'connected' with no additional prompts).
    in both cases... no actual applications were running on the machine. and the number of other services is pretty minimal.
    i'll run another port scan and see if 21 (or 554) show up still. or if any other new seemingly phantom ports show up.

  • Bypassing TCP port 25 restriction (i.e. worst ISP EVER; Mail is not allowed

    Hi
    The private company that runs my DOES NOT ALLOW Smtp connections on its "hi speed internet connection".
    Meaning that Mail cannot function and I have to check via webmail.
    I'm serious.
    Their FAQ states:
    Can I use email clients such as Microsoft Outlook or Outlook Express to send and receive emails?
    No, you will only be able to use web browser based email such as Hotmail or Gmail; this is due to limitations (on TCP port 25) which have been implemented to protect you against other computer users sending unsolicited bulk emails (SPAM) via your computer.
    Does anyone know a way to get around this as I NEED the functionality of Mail.....
    Also,
    Are all British ISPs this ridiculous?
    Dieing to find a solution to this....... Many Many Many Many Thanks
    PS. I already paid extra ($250USD) to enable 'super' internet which doesnt throttle VOIP, STREAMING, gaming, P2P etc.
    Luke

    Beginning January 1, 2006 Port 587 has been standardized as the port to use for authenticated SMTP servers although most will still work with Port 25 as well. More and more ISPs are blocking port 25 as various jurisdictions are holding them responsible for spam and/or viruses originating on their network. With unauthenticated SMTP anyone can send using that server whether they have an account or not. So the ISPs block that port with the sole exception of their own SMTP server so they can scan the messages for spam and viruses. With an authenticated SMTP server where a valid account id and password are required to send messages the provider of the server assumes the responsibility for scanning all traffic through their server thus relieving the ISP of the liability.
    Whether you think this is a big brother step or not, with estimates that spam on the internet is running as high as 70% of all email traffic, if it weren't for restrictions like this email would rapidly become an unusable tool. The only annoying thing I have found about this is how few ISP Tech Support people know about this. To often their solution is "you can only use another email provider through their webmail interface."

  • LMS 4.2 Why is TCP port 514 used and how to close it?

    An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server.  The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins.  The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device.  The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing.  I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf.  This LMS is not configured to use RCP for anything, as far as I can tell.
    Can I close TCP port 514 on this server without disasterous results, and how do I do that?
    Or, how do I satisfy the security team that having this port open is not a security concern?
    Thanks for any help.
    Dave

    I have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).
    Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).
    Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi.

Maybe you are looking for

  • Grey screen won't allow me to install Leopard from install DVD

    I'm trying to do a fresh installation of Leopard on my Mac Pro. I have used the Leopard install DVD previously to install to this machine when Leopard was first released and I had no problem then. Now, the machine boots and I can hear it reading from

  • Stored Procedures and Dynamic SQL

    In order to return query results from a PL/SQL procedure, I currently use an IN OUT parameter to return a cursor to JDBC. (Q: Is there any other way ???) But if I want to use dynamic SQL (DBMS_SQL) within the procedure, I don't know how to return the

  • How can I set iTunes to play one song only.

    i Want to play one song.  And select the next to be played

  • Risks associated with database refresh.

    Hi experts, I need to clarify a  doubt .I have a cloned SAP BW system (from another system i.e SAn to SAN copy)and then after few months after the first clone I need to refresh the database(Oracle 10 G).The reason being I will have some changes in da

  • Code page

    hello! can anyone please explain what is code page? I came across a problem, while opening dataset in text mode, i use the command transfer few times, but instead of getting few lines in the file i get a string of all the lines. I was told to use cod