*Port Scan* detected - Blocked by host

Similar Messages

• CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

  We have an in-house vulnerability scanner that regularly
  does port scans and we don't want to see events when the source IP is from the vulnerability scanner.
  We tried a network access rule but it dose not work.
  1) Network Shim is enabled
  2) Network shield rule with Port scan detection is enabled.
  3) Global correlation for scans is set to 100 within 60 minutes.
  Basically we want to keep detecting port scans except scans from a specific IP.

  Thanks Jay for your offer. The thing is NACL does not work in 4.0.x
  Here is TAC responce for later versions (4.5.x or 5.x):
  "It is possible to do this by changing the field "Commuincating with host
  addresses" in the network shield rule. There are 2 ways to do this.
  1. Create an exception rule. The exception rule is of type 'Network
  Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to
  enable it. Include the ip address of the port scanner device in
  "Communicating with host addresses".
  or
  2. Modify the original Network Shield Rule (the one with the deny
  action). Next to "Communicating with host addresses", click 'Insert
  Network Address Set', and click 'New'. In the new window,name the
  network address set. Leave the "Address ranges matching" to and
  change "but not:" to the ip address of the port scanner. Then click
  'save'. Make sure that the Network Shield rule now contains your
  Network address set under "Communicating with host addresses".
  We typically recommend using method 1 because it prevents you from
  having to modify the default rule set. But pick the method that works
  best for your configuration."
  I have to find away without upgrading.

• Port Scan

  i keep getting blocked by a firewall on my website hosting company due to Port Scan. i have tried different pcs but same thing, something from btcentralplus.com is port scanning, it even happened while in a hotel using bt as an isp, any ideas why
  root@host21 [~]# grep 86.157.186.xxx /var/log/lfd.log
  Aug 29 11:28:04 host21 lfd[28813]: *Port Scan* detected from 86.157.186.xxx (GB/United Kingdom/host86-157-186-xxx.range86-157.btcentralpl​us.com). 6 hits in the last 20 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]

  Hi paulpa66,
  I know this is an old thread, so I hope you are still interested in this, (if you are still a BT customer!).
  I'm visiting my parents in the UK at the moment and I am having EXACTLY the same issue as you describe, except I have my own dedicated server in a data centre. I'm actually getting locked out of my own server by my firewall because the CSF firewall was detecting port scans from my parent's BT IP address.
  It first happened yesterday and I got my server support people to remove my parents' IP from the block list and whitelist the IP address.
  I was working late tonight and at midnight the BT broadband connection dropped out. I ended up power cycling the BT router and the connection came back up. About 1-2 hours later I got locked out of my own server again! My tech support said it was the same problem - port scans from my parents IP address, which had unfortunately changed, so was not whitelisted.
  Once it's done it's port scanning it seems to be okay, presumably until their IP changes again ...
  This is a real pain!

• Crashing cFP with http port scan?

  cFP-2010 running 6.1 RT, embedded application communicating via vi server to host #1. Embedded webserver is enabled but serving (properly) only default pages.
  Scan of port 80 causes cFP module to stop responding to port 3363 requests and crash. Seems to reboot spontaneously about half the time, other times it locks up with the red status led blinking 18 times then pausing.
  Port scan is performed from host #2 using nmap 3.50. Command is:
  nmap -A -p 80 192.168.7.24 -v
  The specific request that is causing the problem appears to be 'OPTIONS / HTTP/1.0'. The response generated is 'HTTP/1.0 501 Service Temporarily Overloaded'. No 3363 requests are responded to after this and the embedded application stops.
  Enabling webserv
  er log did not make any difference and nothing was recorded in the log. Adding a delay to the scan did not make a difference.
  Any thoughts or suggestions? We anticipate using the embedded web server so turning it off isn't really an option. Thanks.
  Matt

  >Is your compact FieldPoint system on your local subnet, or is it on a different layer of your network?
  Do you see the same issue when it's on your subnet?
  cFP is on the local subnet; haven't tried a different network.
  >Can you verify that your RT Options are set properly for the webserver? While targeted to your FieldPoint system, go to Tools->RT Target Options and then browse through each Webserver configuration area, checking that your VI is visible and that your computer has network access to your controller.
  I'm not actually browsing to any .vis yet. We're using just the default 'Fieldpoint Embedded Webserver' page that shows the IP, mac, S/N, etc. Requests for the main page and subsequent links all work properly. There are no
  restrictions on access for either the webserver or tcp.
  >If you can verify that the webserver is configured properly, let's try to narrow down whether the problem is due to an issue with the network or if it's the software on the controller.
  >Please post a reply if the problem still exists.
  Thanks for your help.
  Matt

• Poor man's port scan blocker

  working with cisco IOS on 3750's at the access level, Nexus 7K's at the core. 
  I need to find a cheap but relatively harmless way to block port scans.  We have not typically had to do this, most people on the internal network behave themselves.  But we have a programmer bent on proving she's an "ethical hacker" and frankly I haven't got time for this nonsense. 
  I would just shut down her physical port but she runs these 'tools' from a vm-server and there are other hosts running on the same physical NIC so I can't just shut off that port.
  I was looking into CBAC but I need to be very careful how I craft the ACL so as not to cause legitimate traffic to cease.  That would be an RPE.  Has anyone seen a detailed write up on how to proceed?  The training I took just sort of 'touched' on it...kind of like "here's this other feature" but didn't really delve deeply into specifics.  I did a search on google and was overwhelmed.  The first couple of articles I located, probably just by cooincidence,  were written for folks already steeped in the spy vs. spy world and so were way over my KB threshold.  As I said, I can't afford to make a mistake here.
  Anyone have some tips on where I can get started on this?  Thanks so much in advance.

  Hi
  Well there are several ways you can handle this.
  but lets first make it the way it is supposed to be handled.
  1) is she breaking any IT policy ? If yes then let HR deal with the offending programmer, just make sure that they have enough proof to swat the offender hard.
  If the answer is no, no policy of the company is broken then frankly I doubt that it is your responsibility to fix the problem, wich in this case is that the IT policy is lagging behind what is desireable.
  Lets ignore the above part and check on what you asked for.
  First of all since  the machine is a vm machine in an esx host you will have problems to halt traffic simply because not all traffic does leave the ESX host.
  So what can you do ?  Is the ip address static or dynamic ?
  If it is a static ip address then you can easily write an ACL that allows what she is supposed to be able to do from that machine and then block the rest from that particular machine and then allow everything else.
  Since you did not have an ACL from the beginning this should only impact her ability to scan.
  If the 3750 software is quite new you can setup an ACL with a connection to an EEM and TCL script that IF she starts to scan you can block her address via adding a new acl or the switch sends you an email or anything you can imagine inbetween.
  If the ipadress is DHCP then you can either choose to lock it down to a specific address in the dhcp scope or you can setup something that lets you know what it is and sets a scripted acl.
  So what other things can you do ?
  You could set a MAC address access-list and shut down the Mac address passing through the switch.
  You can do alot of other things like poisoning the arp address table of the machine, and make things not work the way she wants it. duplicate ip addresses and mac addresses or maybe duplicate windows name.
  But that sort of thing can backfire and to be honest, that does not sound like the doings of a person who are in charge of the network and so on..
  I would go for the first alternative ie make sure that what she is doing is not ok according to policys, let her know that it is not ok and if she persists in her doings turn her over to the HR department.
  Good luck

• I've been blocked because I'm port scanning?!

  Servers from work keep throwing blocks up on me because they said they have detected port scanning coming from my IP. Before I go any futher, please forgive me for not knowing my macbook pro inside out. I've google just about every combination of phrases and keywords that halfway relate to my issue and I'm still coming up blank. I downloaded Little Snitch to see if I had anything suspicious going out, but the only thing I see, and it concerns me, is "mDNSResponder" hitting about every 4 seconds. it doesn't say there are any actual connections, but something is going on. Under connection stats it says: UDP ports dns(53) followed by a long list of high numbered ports (49411 & up). It also has 2 IP address associated with it, but not sure if that has anything to do with it.
  I saw a lot of talk about finding the mdnsresponder.plist, but that file is not on my mbp. I've gone back as far as my time machine allows and don't see that file either. I just reinstalled a fresh OS and I still have this problem.
  Thank you in advance for any help!

  No PC on my network, but I did install Windows 7 a few weeks ago on Parallels 7. It didn't install correctly, so I uninstalled. I haven't attempted since.

• Code to detect port scan

  do anyone know how to write a java application that can detect port scan?the situation is like this, i can select the ports for monitoring, and when some one scan my port for vulnerable ports, then the system will alert me about the intrusion!the biggest porblem is how the system will detect the intrusion, when the person must know my ip address and port numbers to connect with my pc, and i dun have a specific port number for them to connect to!
  i really need to see how a sample of code how this is done!thanks!

  get a firewall

• Detect port scan

  do anyone know how to write a java application that can detect port scan?the situation is like this, i can select the ports for monitoring, and when some one scan my port for vulnerable ports, then the system will alert me about the intrusion!the biggest porblem is how the system will detect the intrusion, when the person must know my ip address and port numbers to connect with my pc, and i dun have a specific port number for them to connect to!
  i really need to see how a sample of code how this is done!thanks!

  Double-posted from http://forum.java.sun.com/thread.jsp?thread=344808&forum=31&message=1423914

• Outgoing port scan to find blocked (by ISP)/open ports

  Hi,
  How can I do a port scan (network ports, where web pages/applications use port number 80 for example)? I would like to find out if my ISP are blocking ports -- get some hard data/facts. I've tried using an online port scanner (one that operates from a web page/server) and according to it, all my ports are blocked -- but I now realise that's incoming (to me) where I didn't initialise the communication. So I suppose to find out what I want I need to initialise the communication -- outgoing (from me) communication. How can I do this? Any software / utilities available anywhere? I tried the "port scan" in Network Utility but this never reported anything. Maybe that will do what I want but I didn't have it set up properly possibly?
  Any suggestions / ideas much apprecaited.
  Cheers,
  John.

  Hi,
  I'm not sure what you're asking.
  What I'm asking about is in connection with the action that some ISP's take described as "traffic shaping". I know they are filtering/blocking because all P2P applications stop working for a period of time each day while email and web pages continue to work fine for example. I'm thinking of complaining to varous organisations because I have it in writing from the ISP they don't do this. They do, but I just want a bit more factual data first, before spending time and money making official complaints.
  ISP's rarely block outbound packets
  Well there's traffic shaping of some sort happening. I've found out that all incoming initialted outside packets are blocked but things still work fine so I assumed it must be outgoing which are being blocked.
  If you can't make an outbound connection, it's usually the return (ACK) packet that gets blocked.
  Right, I see. In that case another cooperating machine is needed to find out what I'm after I suppose.
  However, most firewalls have a rule that allows packets through that are part of existing connections. That allows you to browse the internet no matter what source port your browser uses.
  This isn't about a protection, it's about an ISP stopping/filtering certain uses (ports) via their connections because they don't like it -- too much band width use probably.
  By far the best packet sniffer is Wireshark (formally Ethereal) for display of the capture.
  From what's said above, a packet sniffer isn't going to be enough right? There needs to be two machines, me sending to another on various ports and it replying on the same port and both machines keeping a log of what's been sent and received, then a comparison made to see what made it and what didn't --- I guess. I wonder if there is such a service, piece of software, whatever, out there?
   Is your computer behind a router in your home? Of course that would include Airport. If so, that is more likely the culprit than your ISP.
  Yes an AirPort base station. Say "that is more likely the culprit than your ISP" again after visiting http://www.reviewcentre.com/review210703.html and searching the text for "traffic shaping" a few times! I'm pretty sure I've got the base station set up fine. And I think it's more likely my ISP (the one reviewed at that link) is the culpret. P2P software stops working, well it varies, but it reliably stops during "peak hours". It's the ISP for sure.
  I don't know any ISP that blocks all ports.
  Well, for incoming, according to the http://www.websecurity.mobi/network-security-audit/178-no-open-ports-my-machine- obviously-rediculous.html (which is me expressing surprise about all incoming ports being blocked) my ISP does. Apparently there is quite a difference between incoming and outgoing. Stops people using their machine as any kind of server (according to that link). One thing I do notice is that doing:
  sudo tcpdump -v -x -s 128
  on the command line while I'm not doing anything on the internet results in nothing -- complete silence as it were. On the dial up connection I've just left doing that command there was stuff coming in all the time -- who knows what, but the complete silence on my new broadband connection would back up the idea that all incoming ports are blocked. I could be wrong of course.
  "nmap" is probably the best portscanner available but as you discovered, OS X has one builtin that you can access through the Network Utility.
  Oh right I didn't know they were the same thing. I found that the port scan in NU didn't do anything. I left it for hours. There was an IP address which I left as it had filled it in itself. Maybe I should have changed that? How can I get the right address, or does it usually fill it in correctly itself?
  What actually does a port scanner like that one do? Send something out? To what? And how does it know if it got there?
  It seems to me to get what I need there needs to be first a suitable piece of software, second another computer running the software ready for my computer to talk to and to communicate multiple times and see what happens. My point is it's not just a piece of software that's needed it's also another cooperating computer elsewhere that needed? Otherwise what's the testing software going to talk to to see if the channel is working?
  I'll look into the Port Scan in NU again, see if I can get some actual results from it this time. On a broadband connection I left it for about, I don't know, 3 hours maybe, got nothing.
  Cheers,
  John

• Port Scan is shooting blanks

  I am finding it painful to set up VPN so any help anyone can give would be real generous.
  I have been trying to connect to a VPN to tunnel L2TP via IPsec over port 1701 and PPTP over port 1723 but having no joy at all.
  Macbook (10.5.6) uses mobile broadband USB modem (dynamic IP and telecom APN settings) to access internet. Internet works great, but have been unable to push thru VPN – getting the same error message "Connection terminated by communication device". I've checked firewall settings and it is set to allow all incoming requests. Therefore, there should be no ports blocked.
  However, when I check open ports using Port Scan in Network Utilities using my session IP address the results are empty. All I get is the following:
  Port Scan has started ...
  Port Scanning host: 193.120.116.180
  Port Scan has completed ...
  Why is this not working? I'm confused
  Am I able to check open ports on my Mac using dynamic IP address within active session on my Mac?

  I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
  So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
  Do I run that /var/log/ppp.log in Terminal?

• Server Admin says that Contribute CS3 is running port scans

  My website keeps crashing whenever I try to connect through contribute. The host admin says that when I try to connect Contribute is running port scans, this causes their server to block my IP and subsequently crashes my website.
  I connect using SFTP. How can I change the settings to avoid this happening?
  The host says that port 22 should be used.
  Under preferences, FTP proxy, FTP proxy port is listed as 21. Is this the problem?
  Thanks in advance for any help.
  -Lindsey

  Hi Lindsey,
       Can you provide the server log files?

• Mail or some other software is port scanning

  I've recently updated all of my machines to Yosemite. Ever since then my IP is periodically blocked by my web host (which hosts my website and email). Every time I contact them for support I'm told that my machine is port scanning on port 585 which automatically blocks me. From what they tell me Mac Mail is the culprit. I have found no indication that port 585 is being used. I've even deleted my mail accounts and re-set them up with the settings that the host requested. There are no settings using 585. But again today it has happened again. Does anyone know how Mail could be doing this of if there is another software that could be scanning?

  I think you're being given bogus information, but see below if you want to make sure.
  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a summary of what you need to do, if you choose to proceed:
  ☞ Copy a line of text in this window to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
  5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
  Triple-click anywhere in the line of text below on this page to select it:
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB ' com.adobe.AAM.Updater-1.0 com.adobe.AdobeCreativeCloud com.adobe.CS4ServiceManager com.adobe.CS5ServiceManager com.adobe.fpsaud com.adobe.SwitchBoard com.adobe.SwitchBoard com.apple.aelwriter com.apple.AirPortBaseStationAgent com.apple.FolderActions.enabled com.apple.FolderActions.folders com.apple.FolderActions.folders com.apple.installer.osmessagetracing com.apple.mrt.uiagent com.apple.ReportCrash.Self com.apple.rpmuxd com.apple.SafariNotificationAgent com.apple.usbmuxd com.google.keystone.agent com.google.keystone.daemon com.microsoft.office.licensing.helper com.oracle.java.Helper-Tool com.oracle.java.JavaUpdateHelper com.oracle.java.JavaUpdateHelper ' ' 879294308 461455494 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 3694147963 1417519526 1189540302 1233118628 2456546649 2806998573 2778718105 2636415542 842973933 3301885676 891055588 998894468 695903914 1443423563 4136085286 ' 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<10) print "com.apple.";} ' ' { sub(/ :/,"");print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { split("'"${p[41]}"'",b);split("'"${p[42]}"'",c);for(i in b) print b[i]".plist\t"c[i];if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"cksum "F|getline C;split(C, A);C="checksum "A[1];"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F" ("T", "C")";else F=F" ("C")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' ' s/^.+ |\(.+\)$//g;p ' '/\.(appex|pluginkit)\/Contents\/Info\.plist$/p' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR/d;s/^.+: //p;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' pluginkit scutil dtrace profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$(RefProc): \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|Roame|SMC:|suhel| VALI|ver-r|xpma' -o -o -k Sender fseventsd -k Message Req SL -o -k Sender Req launchd -k Message Req de: " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????|wc -l' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors App\ extensions Lockfiles Memory\ pressure SMC );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};A'$((7+i))'() { v=` eval sudo "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};';done;A9(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2 7 8;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;B1&&D73 19 53 67 55;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 20 52 66 54;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D82 35 49 61 51;D82 11 17 17 20;for i in 0 1;do D82 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A8 18 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;B3 4 0 65;A3 14 6 32 0;B4 0 16 11;A1 26 50 64;B7 16;C3 52;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D73 21 0 32 19;D73 10 42 32 40;D82 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 21 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D83 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 10 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 21 48 49 49;B3 4 22 57;A1 21 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D12 4 51 32 53;D23 22 9 37 7;A9;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
  [Process completed]
  to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
  12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
  Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• Port Scans

  Hi,
  I have a problem where I cannot access my website because my hosting providers firewall keeps blocking me. The problem is they say that they are receiving port scans from my IP to blocked ports. They unblock my IP but an hour or so later is blocked again.
  Well, I'm not running, to my knowledge, port scans. The only app that would be hitting there systems would be mail.app but that has been working for over a year so I'm assuming those ports are OK.
  I've thought this could be a virus/malware or some such so I've installed ClamXAV and run a full scan but nothing has come up.
  Does anybody know how I can monitor the outgoing network requests from by machine? Or any other advice on how to track this down.
  Cheers
  Steve

  Hi
  Asking them which ports are being scanned might help? If it's a particular port or series of ports you should be able to use "lsof" from the command line.
  For example:
  sudo lsof -i | grep portnubmer
  Where "portnumber" is the number of the port. For example 25, 110 etc, or possibly:
  sudo lsof -i | grep LISTEN
  Which will list all ports that are "listening."
  Possibly "LittleSnitch" may also give you some feedback? It's not something I use so I can't really say for certain.
  Tony

• Issues with McAfee IPS and HP PhotoSmart Premium C309g-m performing port scan

  Trying to run a HP PhotoSmart Premium C309g-m printer wirelessly and connect to a laptop computer with Windows 7 32-bit operating system.  Printer is available for about 3 and a half minutes and then is blocked by McAfee because the printer is trying to perform a UDP port scan.  The IP address of the printer is blocked for 10 minutes and then becomes available again.  After about 3 and a half minutes, the printer IP address is again blocked by McAfee IPS for 10 minutes and the cycle repeats again.  Goes on all day.  Difficult to get any work done.  Anyone have a fix to stop the port scans?  Thanks

  Hello JWB46,
  Welcome to the HP Forums!
  I understand when you scan a document, it takes longer and the background is black with horizontal white lines or a greenish background. I will do my best to assist you! First, I need to find out your operating system on your computer? Windows or Mac?
  How is this printer connected? Wireless or USB?
  Please make sure you have followed this entire HP document on Color or Brightness Level of Scanned Image is Not Correct. I would like to test out the hardware within your printer. Try copying a blank document on the scanner glass. Let me know if you have the same results. I will be looking forward to hearing from you. Have a great night!
  I worked on behalf of HP.

• Is this port scanning?

  Hello all,
  I’m a new Oracle Administrator and I want to ask the following question:
  I have one 10g R2 Database Server (myhost.mydomain) running a DB with SID=DB1 on a Linux Redhat Server.
  There is another 10g R2 Database on a Win2003 server (HOST1) which through a database link is doing specific select on two tables only (I am not responsible for this server).
  Looking the listener.log of my server I saw that every 10 – 20 seconds there are connections on my server and on different ports. Is this something like port scanning?
  A 10 minute sample of my listener.log:
  30-OCT-2010 08:59:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3452)) * establish * DB1 * 0
  30-OCT-2010 08:59:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3454)) * establish * DB1 * 0
  30-OCT-2010 08:59:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3457)) * establish * DB1 * 0
  30-OCT-2010 09:00:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3465)) * establish * DB1 * 0
  30-OCT-2010 09:00:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3469)) * establish * DB1 * 0
  30-OCT-2010 09:00:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3472)) * establish * DB1 * 0
  30-OCT-2010 09:00:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3474)) * establish * DB1 * 0
  30-OCT-2010 09:00:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3483)) * establish * DB1 * 0
  30-OCT-2010 09:01:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3484)) * establish * DB1 * 0
  30-OCT-2010 09:01:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3487)) * establish * DB1 * 0
  30-OCT-2010 09:01:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3488)) * establish * DB1 * 0
  30-OCT-2010 09:01:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3494)) * establish * DB1 * 0
  30-OCT-2010 09:02:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3505)) * establish * DB1 * 0
  30-OCT-2010 09:02:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3506)) * establish * DB1 * 0
  30-OCT-2010 09:02:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3511)) * establish * DB1 * 0
  30-OCT-2010 09:02:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3519)) * establish * DB1 * 0
  30-OCT-2010 09:03:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3520)) * establish * DB1 * 0
  30-OCT-2010 09:03:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3523)) * establish * DB1 * 0
  30-OCT-2010 09:03:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3524)) * establish * DB1 * 0
  30-OCT-2010 09:03:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3528)) * establish * DB1 * 0
  30-OCT-2010 09:03:58 * ping * 0
  30-OCT-2010 09:03:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
  30-OCT-2010 09:04:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52637)) * establish * DB1 * 0
  30-OCT-2010 09:04:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3537)) * establish * DB1 * 0
  30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52639)) * establish * DB1 * 0
  30-OCT-2010 09:04:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52640)) * establish * DB1 * 0
  30-OCT-2010 09:04:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3538)) * establish * DB1 * 0
  30-OCT-2010 09:04:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3542)) * establish * DB1 * 0
  30-OCT-2010 09:04:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3544)) * establish * DB1 * 0
  30-OCT-2010 09:04:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3553)) * establish * DB1 * 0
  30-OCT-2010 09:05:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3554)) * establish * DB1 * 0
  30-OCT-2010 09:05:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3555)) * establish * DB1 * 0
  30-OCT-2010 09:05:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3559)) * establish * DB1 * 0
  30-OCT-2010 09:05:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3560)) * establish * DB1 * 0
  30-OCT-2010 09:05:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3564)) * establish * DB1 * 0
  30-OCT-2010 09:06:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3573)) * establish * DB1 * 0
  30-OCT-2010 09:06:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3574)) * establish * DB1 * 0
  30-OCT-2010 09:06:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3578)) * establish * DB1 * 0
  30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52652)) * establish * DB1 * 0
  30-OCT-2010 09:06:40 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=52653)) * establish * DB1 * 0
  30-OCT-2010 09:06:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3586)) * establish * DB1 * 0
  30-OCT-2010 09:07:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3587)) * establish * DB1 * 0
  30-OCT-2010 09:07:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3590)) * establish * DB1 * 0
  30-OCT-2010 09:07:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3591)) * establish * DB1 * 0
  30-OCT-2010 09:07:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3593)) * establish * DB1 * 0
  30-OCT-2010 09:08:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3604)) * establish * DB1 * 0
  30-OCT-2010 09:08:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3605)) * establish * DB1 * 0
  30-OCT-2010 09:08:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3607)) * establish * DB1 * 0
  30-OCT-2010 09:08:58 * ping * 0
  30-OCT-2010 09:08:58 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=myhost.mydomain)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=1521)))(VERSION=169870336)) * status * 0
  30-OCT-2010 09:08:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3617)) * establish * DB1 * 0
  30-OCT-2010 09:09:03 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3620)) * establish * DB1 * 0
  30-OCT-2010 09:09:09 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3623)) * establish * DB1 * 0
  30-OCT-2010 09:09:09 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42950)) * establish * DB1 * 0
  30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42951)) * establish * DB1 * 0
  30-OCT-2010 09:09:13 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42952)) * establish * DB1 * 0
  30-OCT-2010 09:09:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3624)) * establish * DB1 * 0
  30-OCT-2010 09:09:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3626)) * establish * DB1 * 0
  30-OCT-2010 09:09:34 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3630)) * establish * DB1 * 0
  30-OCT-2010 09:10:01 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3637)) * establish * DB1 * 0
  30-OCT-2010 09:10:07 * (CONNECT_DATA=(SID=DB1)(CID=(PROGRAM=perl)(HOST=myhost.mydomain)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.9)(PORT=42957)) * establish * DB1 * 0
  30-OCT-2010 09:10:10 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3643)) * establish * DB1 * 0
  30-OCT-2010 09:10:15 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3644)) * establish * DB1 * 0
  30-OCT-2010 09:10:26 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3646)) * establish * DB1 * 0
  30-OCT-2010 09:10:59 * (CONNECT_DATA=(SERVER=DEDICATED)(SID=DB1)(CID=(PROGRAM=d:\oracle\product\10.2.0\db\bin\ORACLE.EXE)(HOST=HOST1)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.10)(PORT=3658)) * establish * DB1 * 0

  Is this port scanning?No. Port scanning is sending various crafted tcp packets to a range of ports to determine what, if any, service is using that port as a listening end-point. It is not about sending lots of packets to a single port.
  So if someone port scans your Oracle server, there is an excellent likelihood that you will not even see that. A stealth scan is commonly used - and this will be dealt with at IP stack level and not at the listener level. So the listener will never see the port scan. It will not be recorded in the listener's log.
  What you are seeing are standard client server connections. The server port is 1521. The client port will be a brand new port each time - and a port number from the private/dynamic port range.
  A lot of client-server connections to a server that for example fails, can be a sign of a DoS (<i>Denial of Service</i>) attack. But yours simply seems to be the local Oracle instance checking in with the listener at regular intervals.
  The executable according to the connection string received from the client is <i>d:\oracle\product\10.2.0\db\bin\ORACLE.EXE</i>. This means an Oracle server process. An Oracle instance will continually contact the local listener to inform it of the services that it supports.