Port Scan

While submiting a post I got a warn from my firewall that ATS was trying to access my comp, doing a port scan.

What is that all about?

Nobody know? Ever seen this before?

Obviously, we're doing no such thing... and I'm wondering why you didn't just contact me via u2u?

If you could send me the log, I could see what the issue is.

In the past, over-sensitive firewall settings have flagged the multiple-server (non-load-balanced) set-up as a number of things. Also, webservers configured for multiple connections can possibly open several to your computer on different ports for efficiency... this can appear as a port scan if your firewall settings are toward the hgih-end.

i have also just had a port scan reported as coming from here. i have u2u'd you the details.

my firewall settings havent changed or updated today and i didnt have many ats windows open.

Did your firewall specifically say that it was ATS? Or it just happened to occur at that time.

I used to get port scan warnings all the time while doing completely normal things. It has mysteriously stopped for the most part. But yeah, I don't think ATS is connected with the activity.

Probably one of two things:

1. You have a trojan (like I did)
2. Your firewall is overly-sensitive and gives off false warnings when websites try to give you completely normal information. (This happened to me sometimes too. Especially when downloading.)

Oh oh, will we be faced with another "ATS is spying for the government" thread?

I hope not. Its just a fluke. Really.

Originally posted by Yarcofin
Did your firewall specifically say that it was ATS?
...
1. You have a trojan (like I did)
2. Your firewall is overly-sensitive and gives off false warnings when websites try to give you completely normal information. (This happened to me sometimes too. Especially when downloading.)

yes, my firewall (outpost) alerted me that abovetopsecret.com was attempting to port scan my pc for about 10 - 15 mins. previous to this, the ats site gave me conisderable trouble trying to view or refresh any pages.

the ip listed in the log is registered to abovetopsecret.com (via theplanet.com) and the ip location is in dallas texas.

i ended task on firefox, restarted my pc and opened exactly the same pages up and nothing happened this time or was logged by the firewall.

the ports it was trying to scan were -

4065 - unknown
3958 - used by mqenterprise agent
3959 - used by tree hopper networking
3961 - used by proaxess server
3960 - used by bess peer assessment
4063 - unknown

i dont have a trojan or virus ( & have run 4 different spyware & anti-virus progs that i have installed ) and i dont download anything onto this pc - i use another one for that.

i was doing nothing out of the ordinary nor loading loads of ats pages either and i have never had this reported on the firewall before.

im not saying "ATS is spying for the government" but i am slightly concerned that i havent seen this activity reported before and need a little more convincing that it is to do with "multiple simultaneous connections" as it seems is the official word on this.

i have opened far more pages in ats before and have never had any problems in the 2 years ive been here.

i'll carry on myself looking into what may have caused this anyway

This is interesting. I was scanned by 'denyignorance.com' once.. strange given I never actually go there and I think they're on a different server to ats? Not sure.

Edit. I let admin know when dod repetitively scanned me. It could have been a spoof IP and though I do not think ats are responsible.. I have no doubt that governments watch this site closely.

[edit on 15-4-2006 by riley]

Originally posted by dgtempe
Oh oh, will we be faced with another "ATS is spying for the government" thread?

I hope not. Its just a fluke. Really.

well, fluke it may be but a search on theplanet.com's (which i am assuming ats uses as its listed to them) support site for port scan lists this -
support.theplanet.com...
so if that doesnt concern you, fine. however, in the light of that recent at&t scandal, perhaps it should concern you.

im not saying that the server has been compromised either, only showing what is listed under their support section when you type in port scan, and if you dont at least raise 1 eyebrow at that link then thats fine also. you can call me paranoid if it makes you happy. im more curious about it in my eyes, hence why i am investigating it myself rather than just say oh its just a fluke.

No viruses or trogens here either, I keep a very tight rane on my comp.

Firewall settings are not set at any "level", you either allow the conection or you don't.

I didn't write down the info from my port scan attack, wish I had now, but it defineatly said abovetopsecret.com was trying to acces my comp through ports blah blah blah.

Only happened the one time though.

A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.

searchsecurity.techtarget.com...

It's no big deal to me really, my comp is well protected, but I'm still curious why it happened. I don't buy the over-sensitive FW settings.

Be great when one day mankind loses his predatory instincts.

America's war on the web




While the US remains committed to hunting down al-Qaeda operatives, it is now taking the battle to new fronts. Deep within the Pentagon, technologies are being deployed to wage the war on terror on the internet, in newspapers and even through mobile phones. Investigations editor Neil Mackay reports
www.sundayherald.com...

Is it possible some of these portscans are from advertisers on ATS, and the source is showing as ATS? Other than that, there is no valid reason for the scripts that run this forum to poll your computer for any reason. It's possible, PHP is looking for the existence of a valid SESSION cookie, but I'm pretty sure the info is included in the HTML request.

Having seen the professionalism of the administrators of this site, and taking an educated guess at their intelligence, nothing sinister is occuring.

NC

[edit on 15-4-2006 by NotClever]

Originally posted by justyc
i'll carry on myself looking into what may have caused this anyway

Did you actually read this from this very thread which is the same as what I sent you as a response to your U2U?

Originally posted by SkepticOverlord
In the past, over-sensitive firewall settings have flagged the multiple-server (non-load-balanced) set-up as a number of things. Also, webservers configured for multiple connections can possibly open several to your computer on different ports for efficiency... this can appear as a port scan if your firewall settings are toward the hgih-end.

This is a non-issue... why are you trying to make it one?

Originally posted by SkepticOverlord
Did you actually read this from this very thread which is the same as what I sent you as a response to your U2U?

Originally posted by SkepticOverlord
In the past, over-sensitive firewall settings have flagged the multiple-server (non-load-balanced) set-up as a number of things. Also, webservers configured for multiple connections can possibly open several to your computer on different ports for efficiency... this can appear as a port scan if your firewall settings are toward the hgih-end.

This is a non-issue... why are you trying to make it one?

yes. i first searched ats for posts on port scans, read it before posting and read your u2u reply saying exactly the same thing, but am i to accept your copy & paste reply to another member 2 months ago as being the ats policy of investigation on port scans that come from abovetopsecret.com?

that in itself is cause for concern

Skeptic overlord is correct, the reason your software is going hay wire is probably because you got it jacked up to its highest setting. a simple port scan isnt necessarily something to become concerned about, if your worried lock down the ports you are concerned about and run a virus scan to make sure you dont have trojan horses opening the ports on your computer.

I have checked my firewall logs and I havent found anything suspicous from ATS.

are your sure your computer didnt request a service while connected to ATS that generated an alert?

Also Norton firewall is notoriously over sensitive, for example it wont even allow MSN messenger to operate correctly. Mcaffee is much better.

Originally posted by XphilesPhan
Skeptic overlord is correct, the reason your software is going hay wire is probably because you got it jacked up to its highest setting. a simple port scan isnt necessarily something to become concerned about, if your worried lock down the ports you are concerned about and run a virus scan to make sure you dont have trojan horses opening the ports on your computer.
I have checked my firewall logs and I havent found anything suspicous from ATS.

my firewall doesnt have low, medium or high settings. it has allow or disallow and i set them each time. my tcp & udp ports are already locked down so im not too concerned about a breach and i have already run 2 trojan and 2 virus scanners just to be on the safe side, but as i dont download on this pc, its unlikely i have either unless it came via a website.

i also checked my firewall log and have only found one attempt at a port scan and it came from abovetopsecret.com - (15/04/2006 12:09:19 Port scan 70.86.59.150 TCP (4065, 3958, 3959, 3961, 3960, 4063), though why you think just because your logs dont show anything suspicious then nobody elses should escapes me. up until yesterday, my logs had nothing out of the ordinary also. but tell me why should it be that because one problem may 'appear' to look like a port scan, then all other reports of port scanning should therefore be the same problem. is that logical?

i had three ats tabs in firefox open at the time (suprisingly few for me) and 1 imdb page and was refreshing one ats page which wouldnt reload and then neither would the other 2 but the imbd page i had open reloaded fine. i then received an alert from my firewall saying abovetosecret.com was attempting to port scan my pc and it blocked the site. i ended task, restarted the pc, ran 4 diff tests and then opened the browser and loaded up exactly the same pages and nothing happened.

ive never had problems with firefox and outpost before and was doing nothing out of the ordinary or opening masses of pages to overload it for multiple connections. i also block many ad sites because i edit my hosts file, because having worked as a systems admin and analyst for many years, im not an idiot when it comes to pcs, so forgive me if i dont accept a cut & paste reply as a full investigation.

ive already pasted a search link from the support site of what appears to be the ats server host's site regarding port scanning and it is under the heading 'What are some symptoms that my server has been compromised?' perhaps you should read it or their forums regarding port scanning and hacking to see how common it is. as i dont know what software is used to host ats, i cant know what vulnerablilites it may have but i was at least prepared to look.

if you think im making an issue out of nothing, fine. i'll stop looking, but this is what i have done so far to look into a possible security issue & its a little more than copying & pasting a standard answer. what did you do?

Just get a router, software firewalls are pretty much just a nuisance.
Make it an ethernet connection as wireless is easy to get into even if you set up an encrypted connection. Just be sure to keep the firmware updated. Routers will also not get corrupted as software firewalls do, hence will not make your computer freeze and programs not respond.

Originally posted by justyc port scans that come from abovetopsecret.com?

It's not a port scan.

Since this issue reoccurs because of the ability of our multiple servers to initiate more than one simultaneous connection with your computer, the same answer works in every situation.

Making an issue of this is silly.

Thread closed.