Page 1 of 1

Please teach me how to read port scan messages

Posted: 07 Mar 2013, 06:46
by jp1981
Hi

I am having a hard time figuring out what ports are being scanned. The below block is in fact from a hosting client and the temp blocks stop him from downloading mail.

Can someone please let me know what blocks are being scanned below so I can help the client to resolve this.

Thanks :)

Code: Select all

Time:    Thu Mar  7 04:20:06 2013 +0200
IP:      41.132.199.40 (ZA/South Africa/41-132-199-40.dsl.xxxx)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 04:18:38 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28198 DF PROTO=TCP SPT=64348 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:18:50 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28232 DF PROTO=TCP SPT=64348 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:18:53 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28233 DF PROTO=TCP SPT=64348 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:18:59 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28236 DF PROTO=TCP SPT=64348 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:11 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28246 DF PROTO=TCP SPT=64348 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:34 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28274 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:37 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28324 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:44 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28335 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:56 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28342 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:19:59 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=28348 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 Mar  7 04:20:05 CentOS-63-64-minimal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:67:48:fa:82:78:19:f7:91:ec:01:08:00 SRC=41.132.199.40 DST=197.221.46.242 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28357 DF PROTO=TCP SPT=64354 DPT=26 WINDOW=8192 RES=0x00 SYN URGP=0 

Re: Please teach me how to read port scan messages

Posted: 10 Mar 2013, 15:15
by squipper
SPT=64348 DPT=26 are for the ports.

SPT = Source Port, the port the incoming packet has been sent from.
DPT = Destination Port, the server port the packet is aimed at.