Pegasus Mail & Mercury

uhhh .... somebody please explain to me what this means?

NMap Xmas Scan intrusion attempt from community.pmail.com (62.20.118.83)

 I have ascreenshot

 

It means a paranoid so-called 'firewall' (presumably NIS) has detected something what it takes for a 'Xmas' port scan. Portscan techniques such as the 'Xmas' scan are used to avoid detections by firewalls but even if such scan might be the first sign of a attack it is no 'intrusion attempt' by itself (and done all day long by script kids all over the world). Technically spoken it is just a connection attempt to some port of your machine with the FIN, URG and PUSH TCP flags set and dumb applications like NIS or ZA report this as a intrusion attempt, as they live from showing the user obscure alarms because then it looks as if they do something :)

Best regards

Nico

It is an intrusion attempt considering that it is an univited scan for an open port on my computer. I don't care how paranoid a firewall is as long as it stops this kind of behaviour.

I'd rather not have a firewall, just like I'd rather not have curtains on my windows or wear a bra for that matter, unfortunately big business has other ideas. As long as there is money to made there will be no end to any of this. Security/privacy protection is probably the biggest scam of our civilization - it's all public relations.

The real question in this instance is community.pmail.com's involvement? What reason could this site possibly have for a port scan? And what would happen if it finds an open port?

Cassiopeia:

It is an intrusion attempt considering that it is an univited scan for an open port on my computer. I don't care how paranoid a firewall is as long as it stops this kind of behaviour.

Well no, it is not. A intrusion attempt is what the name implies, a attempt to intrude your computer whereas your IP is absolutely public and can be looked at by anyone for whatever reason. Also such firewall wouldn't stop a real attack at all. In case it was a portscan (what I doubt) it would be the same as if you put a plate in each window of your house with 'this is no window, go ahead' and hope it would stop a burglar because a real attacker would as well know that your IP exists. Even worse, some desktop firewalls block a IP fox xx minutes for a single connection attempt (a portscan is never a single connection attempt) which they find suspicious and this could be as well used for a denial of service attack against the user. For example someone could spoof his IP and pretend he is google, yahoo or community.pmail.com and the firewall would block all access to the spoofed IP for xx minutes.

Cassiopeia:

I'd rather not have a firewall, just like I'd rather not have curtains on my windows or wear a bra for that matter, unfortunately big business has other ideas. As long as there is money to made there will be no end to any of this. Security/privacy protection is probably the biggest scam of our civilization - it's all public relations.

You misunderstood, a firewall is a good thing to have, at least for desktop computers which are connected directly to the internet (without a router in between) but serious firewalls don't nag users with dubious colorful alerts about intrusion attempts when there was in fact none, while some others - e.g. the mentioned one with the yellow interface - lure the user into safety by making him believe that they block all kind of 'attacks' while failing completely at real attacks. See for example http://www.matousec.com/projects/firewall-challenge/results.php for a realistic comparison of desktop firewalls and where the big yellow one stands.

Cassiopeia:

The real question in this instance is community.pmail.com's involvement? What reason could this site possibly have for a port scan? And what would happen if it finds an open port?

Sorry, I wasn't clear enough about this. There was most probably no portscan from community.pmail.com, it was most certainly a false alarm therefore I've used the term 'paranoid'. If you do a google search for that alert message you will find a lot of other people asking in forums what it means and they all get the same answer.

Best regards

Nico

Cassiopeia:

The real question in this instance is community.pmail.com's involvement? What reason could this site possibly have for a port scan? And what would happen if it finds an open port?

There *should* not be any scripts running on the site that does any form of port scan back to the reader or poster. Could you send me the screenshot so I can determine if this is related to a certain post?

---

Kind regards / Peter

Thanks Peter,

what's the best way to send you the screenshot? I would have posted it, but I can't do that in this forum.

tBB:

Sorry, I wasn't clear enough about this. There was most probably no portscan from community.pmail.com, it was most certainly a false alarm therefore I've used the term 'paranoid'. If you do a google search for that alert message you will find a lot of other people asking in forums what it means and they all get the same answer.

If this was a 'false alarm', then I will still feel better for having asked the question. By simply saying 'it is most likely a false alarm and to ignore such messages' is not very helpful for the general internet population. That is not to say your posts were not helpful to me.

tBB:

You misunderstood, a firewall is a good thing to have, at least for desktop computers which are connected directly to the internet (without a router in between)

No, I did not misunderstand. Of course it is a good thing to have, just like car insurance or health insurance. But I'd rather not live in a world where I constantly have to be prepared for the worst possible denominator. In this instance what exactly is driving the advancement of new security and protection software? Is it the widely publicized infections and DOS's?, the false blanket of security?, or the dread of being a stupid idiot for NOT having any protection - public relations 101.

When it comes to the Internet - nothing is absolutely fool-proof. Before taking on this platform, I did extensive research among colleagues regarding security, maintainability etc. Nearly all that were using anything but Community Server (CS) recommended to go with CS. That said, nothing where you can submit text, that then is rendered to the public can by default be 100% safe. I don't believe that server scripting is possible here, meaning that the IIS engine will start behaving like you describe. Therefore I take it very seriously whenever any issues arise, and this time is the first time. So it will be interesting to see your screenshot.

Just as a side note: We use NOD32 on all servers, and Cisco ASA5505 firewalls combined with Microsoft Firewall on all servers. Every server here has been locked down, and vital services are split on multiple servers, as well as separated from one another. Servers are even at different physical locations. All servers are constantly patched. Servers that contain free-ware and open source solutions all reside in their own environments - this since open source/freeware solutions require more manual attention. The same applies to MySQL solutions, Filemaker and SQL-Server solutions.

But there are of-course scenarios where things can go wrong - heaven forbid - therefore all user data is put on tape every night.

As someone put: If it was easy, everyone would be doing it.

---

Kind regards / Peter

Cassiopeia:

If this was a 'false alarm', then I will still feel better for having asked the question. By simply saying 'it is most likely a false alarm and to ignore such messages' is not very helpful for the general internet population. That is not to say your posts were not helpful to me.

You are right, the funny thing here is just that 'Xmas' type port scans (as well as 'FIN' and 'NUL' type scans) simply don't work against Windows systems, means the response which someone gets when he uses such type of portscan against a Win32 system would be exactly the same without any firewall on the target system - hence it makes IMO totally no sense to alert the user about it, even less when there was just a single packet which happened to have some flags set. Besides, as I've mentioned this seems to be a very known false alarm of NIS.

Best regards,

Nico

After reading up a bit on this issue, and investigating all threads, and posts for any form of scripting, and searching our entire system - we've come up blank.

So I'll go with the explanation that this was a coincidence flag setting, either in the receiving end or a one time only incident in our end.

The name xmas comes from different flags (ie the FIN, PSH, and URG flags are set) being set on an individual TCP-packet, indicating it was lit like a Christmas Tree.

Some routers, wan gateways and soft firewalls of consumer brands falsely reports the setting of this combination as a port scan. The screenshot itself (that I received off-line) also indicates this, as a port scan of port 80. The defenition of a port scan is to scan more than just one port. No corporate IDS that I have found does report the setting of these flags as an Intrusion.

---

Kind regards / Peter