Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Portscan from server (Help! Portscan from Winroute server?!?!?)
  •  
hansvanvliet

Messages: 1
Karma: 0
Send a private message to this user
Hi,

We installed Kerio Winroute, set it up, and it works great. Except every six minutes we keep getting " Alerts" saying: Port scan detected:

PORTSCAN firewall="Kerio Winroute Firewall" hostip="192.168.0.4" hostname="vpn" log="protocol: UDP, source: 192.168.0.4, destination: 192.168.0.104, 192.168.0.160, 192.168.0.170, 192.168.0.255, ..., ports: 138, 54415, 54416, 54417, 54418, 54419, 54420, 54421, 49829, 49834

The IP of the server's trusted network card is 192.168.0.4. Seems like the port scan comes from the server! We checked for adware & viruses, but it's clean. It scans internal ip's on really high ports, there's no additional software installed, we use Windows 2003 Standard R2.

Before purchasing Kerio Winroute for our businesses, we need this figured out, does someone know what's happening?

Thanks for your help,

Hans
IT Manager in The Netherlands
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I have this happening as well (although not that frequently): portscans reported to be originating from the server itself.

I have no clue what causes this. A theory I have is someone on the Internet is portscanning while spoofing his IP address with the targeted systems address. Thus the scanning would seem to be done by the system itself. Obviously, when spoofing the sender IP address, the 'attacker' never gets any data send back to him. Perhaps he's using packets that by themselves would cause a vulnerable system to become compromised, so he doesn't need any data back (initially)?
  •  
bintangtujuh

Messages: 2
Karma: 0
Send a private message to this user
same here...i noticed that, if i using user quota, this things always happen... maybe u could try to turn it off... for me, i dont mind about it..
  •  
roccacordera

Messages: 1
Karma: 0
Send a private message to this user
I started to test Kerio Winroute last week, in a new firm. I experienced the same behaviour noted in the above messages, but with bad consequences:
For about 30' to 1 hour after turning on the server, it is impossible to access any external POP3 services (however HTTP, SMTP etc. seem to work ok, and also the internal mail server works).
And for each unsuccesful POP3 attempt, I see in the security log a corresponding (and I think inexistent) portscan entry originating from the server itself.

As I said, after about 1h the situation corrects itself, and we are able to access external mailboxes again for the rest of the day.

Any idea about the possible cause of this problem? (User quota is not active and I'm positive it's not an external "attack")
Previous Topic: Error on install
Next Topic: Remote Desktop not working
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 16:26:14 CET 2017

Total time taken to generate the page: 0.00372 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.