Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Email is scanning a closed port - Causing IP address to be blocked


  • Please log in to reply
6 replies to this topic

#1 PepperP

PepperP

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 January 2015 - 12:38 PM

Hello all! I hope I chose the right spot to post this issue (as it is to do with my email as well as the firewall). The problem is that my website host is automatically blocking my IP address because (they told me) an old defunct imap email is continually scanning a closed port. This is causing my hosting company to block my IP address and I cannot use my email or access my website.

 

So I know what the problem is, but I do not know how to fix it...can anyone guide me or offer suggestions about how to locate whatever email is scanning a closed port? (I went into my email and deleted old accounts). Not sure how to locate the source and then how to stop it from continuing to scan.

 

Thank you so very much in advance to anyone who can help me out! (I would describe myself as a savvy computer user when things are working, but a newbie when techincal issues arise...) :)

 

PepperP



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 15 January 2015 - 04:49 AM

You can use TCPView from Microsoft Sysinternals. It will show you the network connections and the processes that own them.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 PepperP

PepperP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 January 2015 - 04:21 PM

Thank you Didier. I am on a Mac and TCPView looks like it only runs on windows (?). Any similar recommendations that I could use on a Mac (preferably free)?

 

Thanks!



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 19 January 2015 - 04:56 PM

Maybe there is a GUI equivalent for OSX, but I'm not familiar with it. Bu in terminal, yo can use the netstat command.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 PepperP

PepperP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 January 2015 - 05:09 PM

Again, thanks. I tried the netstat command and got a lot of information...but I do not know how to read it. I see a lot of characters, but nothing that looks like a port number (3 digits, right?)

 

Also, We have not done anything special as far as setting up our router or modem (so are thinking they are not responsible for the port scanning). My website host can tell me which port is being scanned and said it looks like a defunct imap account. Does this mean that the problem would be originating from one of my devices? (iphone, ipad, desktop...) Does this netstat command only tell me what my imac is doing?



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 20 January 2015 - 01:18 PM

If you use option -n, name resolution is disabled: no names but IP addresses and port numbers.

 

Yes, it could also be a mobile device.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 20 January 2015 - 02:19 PM

I was thinking of another option: you block the access to this server & port on your router, if it supports that. For example with an ACL.


Edited by Didier Stevens, 20 January 2015 - 02:19 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users