Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Unwanted TCP FIN scans of Unknown Cause  (Read 6682 times)

0 Members and 1 Guest are viewing this topic.

151rby

    Topic Starter


    Greenhorn

    Thanked: 1
    • Experience: Beginner
    • OS: Windows 7
    Unwanted TCP FIN scans of Unknown Cause
    « on: October 26, 2012, 12:29:38 PM »
    I  have a System76 Pangolin Performance (Panp8), and I'm running Ubuntu 11.04, 64-bit.

    My computer has apparently been the target of incoming TCP-FIN scans, and also did at least one outbound scan. My network administrator banned my computer from the wifi network because of it. He says my computer's the only one on the network exhibiting the behavior. I really want to figure out the cause, but I have a huge amount of homework right now, and at this very moment the most important thing is for me to just prevent it from happening because I need the internet to do my homework. I have Uncomplicated Firewall, but I don't really know how it works; is there a way that I can use it to block or prevent such scans? Is there something I can do with my system or network settings to make it stop? I will be extremely grateful for any help!

    Now, if you know a way I can just make the scans stop regardless of their cause, then please feel free to answer without bothering to read the rest of this post. But maybe more details are necessary, so here is the firewall log report the admin sent me:

    10/25/2012 10:41:11  **TCP FIN Scan** 74.114.28.200, 80->> 192.168.2.37, 59562 (from WAN Inbound)   Meebo
    10/25/2012 10:41:11  **TCP FIN Scan** 207.200.81.7, 80->> 192.168.2.37, 40283 (from WAN Inbound)   Netscape Communications Corp
    10/25/2012 10:41:11  **TCP FIN Scan** 74.125.225.69, 80->> 192.168.2.37, 51341 (from WAN Inbound)   Google
    10/25/2012 10:41:11  **TCP FIN Scan** 174.132.95.10, 80->> 192.168.2.37, 46657 (from WAN Inbound)   Theplanet.com internet services
    10/25/2012 10:41:11  **TCP FIN Scan** 64.236.85.82, 80->> 192.168.2.37, 41429 (from WAN Inbound)   AOL transit data network
    10/25/2012 10:41:11  **TCP FIN Scan** 23.21.54.230, 80->> 192.168.2.37, 40730 (from WAN Inbound)   Amazon
    10/25/2012 10:41:11  **TCP FIN Scan** 67.132.183.64, 80->> 192.168.2.37, 57262 (from WAN Inbound)   Akamai technologies
    10/25/2012 10:41:11  **TCP FIN Scan** 199.117.103.72, 80->> 192.168.2.37, 39606 (from WAN Inbound)   Akamai technologies
    10/25/2012 10:36:21  **TCP FIN Scan** 208.81.191.110, 80->> 192.168.2.37, 54965 (from WAN Inbound)   Meebo
    10/25/2012 10:36:21  **TCP FIN Scan** 74.125.225.176, 80->> 192.168.2.37, 35835 (from WAN Inbound)   Google
    10/25/2012 10:36:21  **TCP FIN Scan** 74.125.225.89, 80->> 192.168.2.37, 41008 (from WAN Inbound)   Google
    10/25/2012 10:36:21  **TCP FIN Scan** 54.243.110.233, 80->> 192.168.2.37, 39518 (from WAN Inbound)   Amazon.com
    10/25/2012 10:36:21  **TCP FIN Scan** 199.38.164.155, 80->> 192.168.2.37, 34961 (from WAN Inbound)   X Plus One
    10/25/2012 10:36:21  **TCP FIN Scan** 208.81.191.113, 80->> 192.168.2.37, 51972 (from WAN Inbound)   Meebo
    10/25/2012 10:21:41  **TCP FIN Scan** 208.81.191.110, 80->> 192.168.2.37, 54295 (from WAN Inbound)   Meebo
    10/25/2012 10:21:41  **TCP FIN Scan** 69.171.234.21, 80->> 192.168.2.37, 44825 (from WAN Inbound)   Facebook (I don't even have a Facebook account)
    10/25/2012 10:21:41  **TCP FIN Scan** 67.132.183.9, 80->> 192.168.2.37, 35936 (from WAN Inbound)   Akamai Technologies
    10/25/2012 10:21:41  **TCP FIN Scan** 167.8.226.13, 80->> 192.168.2.37, 38467 (from WAN Inbound)   Gannett Co Inc
    10/25/2012 10:21:41  **TCP FIN Scan** 168.143.84.74, 80->> 192.168.2.37, 44154 (from WAN Inbound)   NTT America Inc
    10/25/2012 10:21:41  **TCP FIN Scan** 64.236.85.88, 80->> 192.168.2.37, 48464 (from WAN Inbound)   AOL Transit Data Network
    10/25/2012 10:21:41  **TCP FIN Scan** 75.98.35.20, 80->> 192.168.2.37, 44010 (from WAN Inbound)   Legolas Media
    10/25/2012 10:21:41  **TCP FIN Scan** 174.132.95.10, 80->> 192.168.2.37, 45758 (from WAN Inbound)   Theplanet.com
    10/25/2012 10:21:41  **TCP FIN Scan** 54.243.166.54, 80->> 192.168.2.37, 59490 (from WAN Inbound)   Amazon.com
    10/25/2012 10:21:41  **TCP FIN Scan** 69.172.216.55, 80->> 192.168.2.37, 45381 (from WAN Inbound)   Saferoute Incorporated
    10/25/2012 10:21:41  **TCP FIN Scan** 74.125.225.89, 80->> 192.168.2.37, 40278 (from WAN Inbound)   Google
    10/25/2012 10:21:41  **TCP FIN Scan** 64.94.107.18, 80->> 192.168.2.37, 40790 (from WAN Inbound)   Intermap Network Services Corporation
    10/25/2012 10:21:41  **TCP FIN Scan** 50.16.195.154, 80->> 192.168.2.37, 36605 (from WAN Inbound)   Amazon
    10/25/2012 10:21:41  **TCP FIN Scan** 74.125.225.90, 80->> 192.168.2.37, 47767 (from WAN Inbound)   Google
    10/25/2012 10:21:41  **TCP FIN Scan** 67.132.183.42, 80->> 192.168.2.37, 58683 (from WAN Inbound)   Akamai Technologies
    10/25/2012 10:21:41  **TCP FIN Scan** 205.217.176.11, 80->> 192.168.2.37, 57381 (from WAN Inbound)   Savvis
    10/25/2012 10:21:41  **TCP FIN Scan** 208.71.123.131, 80->> 192.168.2.37, 57039 (from WAN Inbound)   24/7 Real Media
    10/25/2012 10:21:41  **TCP FIN Scan** 67.132.183.65, 80->> 192.168.2.37, 50760 (from WAN Inbound)   Akamai Technologies
    10/25/2012 10:21:41  **TCP FIN Scan** 67.132.30.137, 80->> 192.168.2.37, 46285 (from WAN Inbound)   Qwest Communications
    10/25/2012 10:09:12  **TCP FIN Scan** 192.168.2.37, 52621->> 107.22.232.230, 80 (from WAN Outbound)Amazon

    The right-hand column (Google, Meebo, etc) was added by me after I did a bunch of lookups on whois.domaintools.com. I am so confused. Why in the world am I being TCP FIN scanned from IPs owned by Google and Amazon and Meebo and various media companies? At the time it happened, I do actually think I was on a website where I was logged into Meebo and the chat bar was open; could these actually be "legitimate" harmless scans performed as part of Meebo's chat service? Another thing I noticed was that all of the scans came from a port 80, and when my computer did an outbound scan, the scan was sent to a port 80. This makes me wonder if it's just being done by one person who is spoofing various IPs, because what are the chances all those different computers would be using the same port to scan me/get scanned by me? Or, could someone be spoofing my IP and MAC addresses on the network, and if so how could I find out?

    Also, I would like to know, is there a log on my computer that I can check which will tell of any such scans that have recently occurred?

    I ran chkrootkit and rkhunter, and neither detected any rootkits, but chkrootkit said:
    The following suspicious files and directories were found: 
    /usr/lib/jvm/.java-1.6.0-openjdk.jinfo /usr/lib/pymodules/python2.7/.path /usr/lib/firefox-addons/extensions/[email protected]/chrome/.mkdir.done

    And rkhunter gave "warnings" for the following:
    /usr/bin/mail
    /usr/bin/bsd-mailx

    Rkhunter also said that "Checking if syslog remote logging is allowed" was "Not Allowed". I have no idea whether any of this is relevant to my problem. Yes, go ahead and laugh at my ignorance.

    I had a similar problem with TCP FIN scans back in May, and I started a thread about it back then. I never figured out what was causing it, but it eventually got resolved in that it stopped happening after my computer got messed up and I had to install a new copy of Ubuntu (and chose to "downgrade" to 11.04). However, I figured this warranted a new thread because the problem went away for so long, I'm using an entirely different version and copy of the operating system, and now I'm getting incoming scans whereas before my computer was just doing outbound ones.
    « Last Edit: October 26, 2012, 12:42:40 PM by 151rby »

    Salmon Trout



      Genius

      Thanked: 920
      • Yes
    • Computer: Specs
    • Experience: Experienced
    • OS: Other
    Re: Unwanted TCP FIN scans of Unknown Cause
    « Reply #1 on: October 26, 2012, 01:02:06 PM »
    You asked a very similar question to this on the Ubuntu forums on 5 May 2012.

    Do you use a Cloud service (data backups? cloud music player for android or the computer)? Maybe you've got a kindle that you've synced on this computer? Are you using Windows apps under Wine and/or a VM?







    151rby

      Topic Starter


      Greenhorn

      Thanked: 1
      • Experience: Beginner
      • OS: Windows 7
      Re: Unwanted TCP FIN scans of Unknown Cause
      « Reply #2 on: October 26, 2012, 01:21:14 PM »
      You asked a very similar question to this on the Ubuntu forums on 5 May 2012.
      Yes. I never really figured it out but it stopped happening, but now I'm having a similar problem. Also, I included a lot of useless information in that question that made it a real pain to read (you may notice nobody on Ubuntu forums offered answers), and now I have asked it in a much more sensible and coherent fashion. However, the problem now is a bit different in that now my computer is also apparently doing outbound scans.

      Do you use a Cloud service (data backups? cloud music player for android or the computer)? Maybe you've got a kindle that you've synced on this computer? Are you using Windows apps under Wine and/or a VM?
      A couple weeks ago, I used thinkfree.com and Microsoft Skydrive to make some edits to a .odt file that I needed to put into .doc format, because some of the formatting wouldn't save in .doc format when I used LibreOffice Writer. But I haven't used them at all since then, and these scans happened just yesterday. I have Wine installed and I have used it for a few Windows programs in the past, but I haven't recently. I don't have a Kindle and I'm not using a virtual machine.

      151rby

        Topic Starter


        Greenhorn

        Thanked: 1
        • Experience: Beginner
        • OS: Windows 7
        Re: Unwanted TCP FIN scans of Unknown Cause
        « Reply #3 on: October 26, 2012, 04:42:03 PM »
        It just occurred to me that perhaps I should have put this thread in the "networking" category. Is there a way for me to move it?

        zeroburn



          Hopeful

        • Knowlege will take you further than any guide
        • Thanked: 2
          • Yes
          • Jared Kat Enterprises
        • Certifications: List
        • Computer: Specs
        • Experience: Expert
        • OS: Windows 7
        Re: Unwanted TCP FIN scans of Unknown Cause
        « Reply #4 on: October 30, 2012, 09:43:54 PM »
        We shouldn't rule out that it could be the software on the computer. And for all we know, this should go under malware, and it is an interesting problem.

        I wish i knew more into this aspect, but i would not know why someone spoofing an IP address would only target you, and not a range of IP's on the network.

        Well, that's just my bad 2 cents.
        I consider myself a hacker. Not in the way of "I can break into your facebook" but in the way, I like to learn as much as I can, about anything i can. I don't just like having things fixed, I like to understand why it was broken and why a particular solution fixed it. It is just how I am, and how I will always be. As teachers have said before, you cant learn if you don't figure it out in your own mind.