Originally posted by dualedge@Jun 30 2005, 06:20 AM
I'd do as Amish suggests and try it with another IPB site if you know of one. I doubt it's specific to the RPF. If it's causing problems I can inquire about it to Invision and see what they say.
I had a thought on this, and there is not any evidence of this, but I'm curious if some linked images could be prompting that scan. Avatars or other images in threads that are linked from sites with advertising perhaps?Originally posted by amish@Jul 7 2005, 10:58 AM
You got it.Â I should say that I have not experienced this in the past few days.Â So I will post here if it happens again.
I agree. Either they are breaching trust and port scanning or their security is compromised and someone is port scanning from their servers.Originally posted by moffeaton@Jul 12 2005, 05:43 PM
Leave Invisionzone... this is creepy stuff.
Originally posted by TK626@Jul 13 2005, 12:24 AM
Amish (and anyone else experiencing this):
Is it always the same two ports being scanned (2918,2920)?Â If so, this info could help invisionzone pinpoint the cause.Â A port scan in and of itself is nothing to worry about, "attack" is a poor choice of words in your firewall log.Â As an example of how benign a scan can be; in order to learn what you did about their server (that it is running a webserver and smtp server, but not an FTP server), you had to run a port scan against it, whether you realized it or not.Â Their firewall logs will now show that you have been port scanning them too, but I doubt you'd agree that you have been attacking invisionzone's servers.Â Â As you monitor over the next couple of days, if it is at all possible to say what you were doing when the alert triggered (which thread you were in, or if you weren't even active on the RPF), this could also help.Â Be as specific as possible.
If it is always those two ports, they would be odd choices for malware or a hacker to target.Â One (2820) is used by a network monitoring tool (roboEDA).Â The second (2818) is used by a product... "Developed by Kasten Chase and certified by the U.S. National Security Agency, RASP Data Security is a comprehensive suite of data security solutions that provide robust, end-to-end data security for government."
I.e., the software that would be listening on that port (if any) would be about the least likely route/method a hacker would want to attempt. Â Definitely stay on Invisionzone about this, my gut feeling is that it is incorrectly configured software at their end (esp. if it continues to show up at those two ports and not the more common ones).