Keep getting Port Scanned by RPF

[amish]

I keep getting port scans from the RPF:

IP Address 67.15.145.9
Attacker DNS www.rpf.invisionzone.com
Attack Type Port scanned
Attack Time 11:16:40 PM
Scan Port Details TCP (2918, 2920)

Any idea of the reason for this?

Thanks.

BTW, this happens at least once a day.

 

[amish]

It will happen either while browsing the forum or after I leave the forum. It is kind of weird and thought it was worth mentioning.

 

[Kerr Avon]

Some sites will do that to see if you are still 'alive' and kicking while accessing a site, does Invision do that normally?

 

[amish]

It probaly is a "feature" of invisionzone. I will have to try accessing another invision site and leave it up for awhile and see if it happens.

Nice idea.

 

[Cenobyte]

I get the same thing.

Port scanned from teh RPF

 

[Cenobyte]

Originally posted by dualedge@Jun 30 2005, 06:20 AM
I'd do as Amish suggests and try it with another IPB site if you know of one. I doubt it's specific to the RPF. If it's causing problems I can inquire about it to Invision and see what they say.

Rob
RPF Staff

[snapback]1024050[/snapback]​

It is the RPF. 2 different computers. What possible reason should an INTRUSION PREVENTION occur? Here is the log (Partial) from my firewall..

7/3/2005 11:43:26 PM Active Response Major Incoming None 67.15.145.9 7/3/2005 11:42:34 PM 7/3/2005 11:42:34 PM
7/3/2005 11:43:26 PM Intrusion Prevention System Major Incoming TCP 67.15.145.9 iexplore.exe Br 7/3/2005 11:42:33 PM 7/3/2005 11:42:33 PM

 

[amish]

Thanks for staying up on this Dualedge.

 

[amish]

You got it. I should say that I have not experienced this in the past few days. So I will post here if it happens again.

Thanks.

 

[Kerr Avon]

Originally posted by amish@Jul 7 2005, 10:58 AM
You got it.  I should say that I have not experienced this in the past few days.  So I will post here if it happens again.

Thanks.

[snapback]1028410[/snapback]​

I had a thought on this, and there is not any evidence of this, but I'm curious if some linked images could be prompting that scan. Avatars or other images in threads that are linked from sites with advertising perhaps?

 

[amish]

Just wanted to mention I got another one at 9:22am this morning.

The IP for the attack is:
67.15.145.9

This is Invisionzone from Houston, Texas. So they are the ones doing something.

The following is the information from the IP that port scanned me:

The system is running a mail server (ESMTP Exim 4.44 #1) on port 25. This means that this system can be used to send email.

The system is running a web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 80 (click here to view it). This means that this system serves web pages.

The system is running a secure web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 443 (click here to view it). This means that this system serves encryped web pages. It therefore probably handles sensitive data, such as credit card information.

The system is running a file transfer server (1.2.10 Server (ProFTPD) [67.15.145.9]) on port 21 (click here to view it). This means users are able to upload and download files to this system.


Here is some info for the ISP:
Everyones Internet, Inc.
abuse@ev1.net
+1-713-579-2850
390 Benmar Suite 200 Houston TX 77060 US

This could be Invisionzone......

The following is information about Invisionzone.com:
The following information refers to the network on which this system lies. This is useful information because it describes who you need to report to if someone on their network has been abusive. (How to effectively report network abuse)

OrgName: Invision Power Services, Inc.
OrgID: IPS-72
Address: PO Box 24
City: Evergreen
StateProv: VA
PostalCode: 23939
Country: US

NetRange: 67.15.107.0 - 67.15.107.63
CIDR: 67.15.107.0/26
NetName: EVRY-230
NetHandle: NET-67-15-107-0-1
Parent: NET-67-15-0-0-1
NetType: Reassigned
Comment:
RegDate: 2005-02-02
Updated: 2005-02-02

OrgTechHandle: LTH22-ARIN
OrgTechName: Throgmartin, Lindy
OrgTechPhone: +1-434-352-4334
OrgTechEmail: lindy@invisionpower.com

Registration Service Provided By: Invision Power Services, Inc.
Contact: lindy@invisionpower.com
Visit: http://www.invisiondomains.com

Domain name: invisionzone.com

Registrant Contact:
Invision Power Services, Inc.
Lindy Throgmartin (lindy@invisionpower.com)
+1.4343524334
Fax:
1115 Vista Park Dr.
Suite C
Forest, VA 24551
US

Administrative Contact:
Invision Power Services, Inc.
Charles Warner (charleswarner@mac.com)
4343524334
Fax: +1.4343528662
P.O. Box 24
Evergreen, VA 23939
US

Billing Contact:
Invision Power Services, Inc.
Lindy Throgmartin (lindy@invisionpower.com)
+1.4343524334
Fax:
1115 Vista Park Dr.
Suite C
Forest, VA 24551
US

Technical Contact:
Invision Power Services, Inc.
Lindy Throgmartin (lindy@invisionpower.com)
+1.4343524334
Fax:
1115 Vista Park Dr.
Suite C
Forest, VA 24551
US

Status: Locked

Name Servers:
ns1.ipslink.com
ns2.ipslink.com

Creation date: 15 Nov 2004 14:47:54
Expiration date: 15 Nov 2005 14:47:54

The system is running a mail server (ESMTP Exim 4.44 #1) on port 25. This means that this system can be used to send email.

The system is running a web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 80 (click here to view it). This means that this system serves web pages.

The system is running a secure web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 443 (click here to view it). This means that this system serves encryped web pages. It therefore probably handles sensitive data, such as credit card information.
There is no FTP server running on this system (the port is closed).

Both have the same system specs.

 

[Cenobyte]

I got it also this morning, but cleared the history before remembering to screenshot

Just thinking of it, that it is random. Does NOT happen each time

 

[moffeaton]

Leave Invisionzone... this is creepy stuff.

 

[Kerr Avon]

I don't know about leaving yet, but they should be able to tell us why port scans are originating from the Invision servers. Have them take it up the chain of their support personnel.

 

[TK626]

Amish (and anyone else experiencing this):

Is it always the same two ports being scanned (2918,2920)? If so, this info could help invisionzone pinpoint the cause. A port scan in and of itself is nothing to worry about, "attack" is a poor choice of words in your firewall log. As an example of how benign a scan can be; in order to learn what you did about their server (that it is running a webserver and smtp server, but not an FTP server), you had to run a port scan against it, whether you realized it or not. Their firewall logs will now show that you have been port scanning them too, but I doubt you'd agree that you have been attacking invisionzone's servers. As you monitor over the next couple of days, if it is at all possible to say what you were doing when the alert triggered (which thread you were in, or if you weren't even active on the RPF), this could also help. Be as specific as possible.

If it is always those two ports, they would be odd choices for malware or a hacker to target. One (2820) is used by a network monitoring tool (roboEDA). The second (2818) is used by a product... "Developed by Kasten Chase and certified by the U.S. National Security Agency, RASP Data Security is a comprehensive suite of data security solutions that provide robust, end-to-end data security for government."

I.e., the software that would be listening on that port (if any) would be about the least likely route/method a hacker would want to attempt. Definitely stay on Invisionzone about this, my gut feeling is that it is incorrectly configured software at their end (esp. if it continues to show up at those two ports and not the more common ones).

 

[darthgoat]

Originally posted by moffeaton@Jul 12 2005, 05:43 PM
Leave Invisionzone... this is creepy stuff.

[snapback]1032023[/snapback]​

I agree. Either they are breaching trust and port scanning or their security is compromised and someone is port scanning from their servers.

 

[Darbycrash]

I think invision needs to check their code. Could be some kind of php hack as well. I don't know how much control you guys have over the code here. However I would be really jumping on invision for this. I am thinking if its doing a port scan right now it could be sending intelligence to someone. And I could only imagine what they are doing with that data.

 

[amish]

I will have to check my logs to see if it is the same ports over and over. However, this has happened to me when I have been connected to the rpf and when I am not connected to the rpf. When I am not connected, it may come within 5 or 10 minutes after closing the site.

It is not post related from what I can tell. It has happened more than what I have posted about here though. If it will help, I will gladly post a reply here and the ports each time it happens.

I too dont believe it is an attack from invisionzone against me, however; it is a real annoyance and should be dealt with by them.

Originally posted by TK626@Jul 13 2005, 12:24 AM
Amish (and anyone else experiencing this):

Is it always the same two ports being scanned (2918,2920)?  If so, this info could help invisionzone pinpoint the cause.  A port scan in and of itself is nothing to worry about, "attack" is a poor choice of words in your firewall log.  As an example of how benign a scan can be; in order to learn what you did about their server (that it is running a webserver and smtp server, but not an FTP server), you had to run a port scan against it, whether you realized it or not.  Their firewall logs will now show that you have been port scanning them too, but I doubt you'd agree that you have been attacking invisionzone's servers.    As you monitor over the next couple of days, if it is at all possible to say what you were doing when the alert triggered (which thread you were in, or if you weren't even active on the RPF), this could also help.  Be as specific as possible.

If it is always those two ports, they would be odd choices for malware or a hacker to target.  One (2820) is used by a network monitoring tool (roboEDA).  The second (2818) is used by a product... "Developed by Kasten Chase and certified by the U.S. National Security Agency, RASP Data Security is a comprehensive suite of data security solutions that provide robust, end-to-end data security for government."

I.e., the software that would be listening on that port (if any) would be about the least likely route/method a hacker would want to attempt.   Definitely stay on Invisionzone about this, my gut feeling is that it is incorrectly configured software at their end (esp. if it continues to show up at those two ports and not the more common ones).

[snapback]1032240[/snapback]​

 

[amish]

Thanks Dualedge, as always I sincerely appreciate the help.

 

[darthgoat]

Any news on this?

This is a serious issue and Invision should be doing something.

 

[Prop Runner]

How come some people are being scanned and others are not? I log on to the RPF from 3 terminals (home, client, girlfriend), all with different firewalls and security/privacy settings, and never get a port scan warning. Is it considered spyware? I have AOL and Norton System Works Professional 2004 - both run spyware checks and neither have ever reported this.

- Gabe