Port Scanning – Finding out IP\’s to look out for.
At EGS we monitor out client’s critical network for cyber related threats on a 24/7 basis. In this blog the EGS SOC security team intends to present to you, one of the most common methods used by cyber attackers in probing the network for vulnerabilities.
Many attackers use “Port Scans” to detect the open ports and the servers available in the devices of a network. ( A port scan is a series of messages sent by someone to determine which ports on a network are open with the intention of breaking in to the computer. Just as if someone went from door -door too see if anyone is home before they entered the house and steal.
Once the attacker detects the open ports and the servers, they begin to exploit known vulnerabilities in the running server.
EGS SOC security team analyzes the Alarm Data collected over 14 days from several small to medium sized networks to identify Nmap scans carried out by cyber attackers.
Gordon Lyon
“The most commonly used tool for network discovery and security auditing is the “Network Mapper (Nmap)”, which is a free and open-source network scanner created by Gordon Lyon. Nmap is used by both security professionals for security auditing and cyber attackers for reconnaissance of networks.”
Our teams Nmap scan reveals the following IPs as the most active.
185.101.33.2
185.53.91.26
37.49.228.121
46.29.167.101
80.241.209.235
Each IP address was checked using the following sources,
trustedsource.org
otx.alienvault.com
mxtoolbox.com
abuseipdb.com
These sources confirmed that the above IPs are malicious, however, it’s necessary to mention that most of these IPs belong to Internet Service Providers and may not be the actual IP address of the cyber attacker.
It is noted that following command is being used extensively for port scanning.
ET SCAN NMAP -sS window 1024
In nearly 350 security events over a period of 14 days we saw the following ports being scanned continuously.
Port 80: http
Port 443: https
Port 8080: http- web proxy
Port 8081: Sun Proxy Admin Service
Attackers try to detect servers that run in these ports and then take the next step in exploiting the vulnerabilities associated with these servers.
With the current trends in Cyber Threats, even an indication of a simple Port Scan could allow a Security Team to prevent a major incident. Therefore, it is necessary to monitor the network traffic continuously by establishing a Security Operations Center.
The SOC security team will discuss another critical security event in our next blog.