Author Topic: Port Scanning  (Read 10477 times)

0 Members and 1 Guest are viewing this topic.

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Port Scanning
« on: May 21, 2013, 12:22:06 AM »
Akamai Technology is scanning the ports on my computer.  Doesn't Avast use this company for some purpose?

I would like to know why this is happening.

I can't show the whole log, but this is still going on.

Attachment below:
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11095
  • No support PM's thanks
Re: Port Scanning
« Reply #1 on: May 21, 2013, 06:04:40 AM »
No avast does not use Akamai, do you happen to have an Asus computer ? the reason I ask is because Akamai provide a download manager for driver updates from the Asus website.

If your not running an Asus system then maybe you have a download manager of some other company that uses there technology, you can Google Akamai to fine more information.

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #2 on: May 21, 2013, 01:58:36 PM »
No avast does not use Akamai, do you happen to have an Asus computer ? the reason I ask is because Akamai provide a download manager for driver updates from the Asus website.

If your not running an Asus system then maybe you have a download manager of some other company that uses there technology, you can Google Akamai to fine more information.

Akamai is a huge company with over 250,000 servers.  It provides downloading and update services for Microsoft, Mozilla, Adobe, and many more companies.

In Avast Network Connections it is allowed a connection to the programs it updates on the normal service ports.  So why is it scanning client ports?

Could this be the reason?

What is the Akamai NetSession Interface?

The Akamai NetSession Interface is a secure application that may be installed on your computer to improve the speed, reliability, and efficiency for downloads and streams from the Internet. It is used by many software and media publishers to deliver files or streams to you.

If the software or media publisher uses the feature and if you enable it, NetSession can also use a small amount of your upload bandwidth to enable other users of the NetSession Interface to download pieces of the publisher's content from your computer.

http://www.akamai.com/html/solutions/client_faq.html

I don't have Net Session on my computer, or if I do, I can't find it.

I will bet that millions of other users do have it installed, and probably don't know Akamai is using their computers for storage, and downloading to other computers.  It does this during idle time on the computer, so maybe that is why people are reporting high CPU usage during idle time.
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11095
  • No support PM's thanks
Re: Port Scanning
« Reply #3 on: May 21, 2013, 02:39:37 PM »
If you have the Akamai NetSession Interface ( which is a download manager ) it'll be shown in your installed programs - Programs And Features.

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #4 on: May 21, 2013, 02:52:42 PM »
If you have the Akamai NetSession Interface ( which is a download manager ) it'll be shown in your installed programs - Programs And Features.

I don't have Akmai Net Session, but I don't think that matters, because Adobe, Microsoft, and Mozilla use it for downloading and updating.  This can be seen in Network Connections in Avast.  Akamai is allowed a connection for both Microsoft and Mozilla.  I have Adobe blocked, but if I enabled it, a connection for Akamai would also show up there.

I'm going to turn off all automatic and streaming updates, and see it there is a drop in the numbers of hits on the firewall by Akamai.
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33111
  • malware fighter
Re: Port Scanning
« Reply #5 on: May 21, 2013, 03:11:30 PM »
Paste the following into your HOSTS file in \Windows\System32\Drivers\etc

127.0.0.1 akamaitechnologies*
127.0.0.1 msgr.dlservice.microsoft.com
127.0.0.1 a209-247-153-150.deploy.akamaitechnologies.com
127.0.0.1 akamaitechnologies.com
127.0.0.1 a388.g.akamai.net
127.0.0.1 a917.g.akamai.net
127.0.0.1 a4.g.akamai.net
127.0.0.1 yd.akamai.com #A (Address) 63.215.198.103
127.0.0.1 ye.akamai.com #A (Address) 12.47.217.26
127.0.0.1 yf.akamai.com #A (Address) 216.32.118.14
127.0.0.1 yb.akamai.com #A (Address) 216.32.118.104
127.0.0.1 yc.akamai.com #A (Address) 209.246.46.48
127.0.0.1 yg.akamai.com #A (Address) 63.215.198.86
127.0.0.1 yh.akamai.com #A (Address) 63.146.179.79
127.0.0.1 access.akamai.com #A (Address) 80.67.70.18
127.0.0.1 mx1.akamai.com #A (Address) 80.67.70.12
127.0.0.1 mx2.akamai.com #A (Address) 80.67.70.14
127.0.0.1 mx3.akamai.com #A (Address) 63.116.109.19
127.0.0.1 EUR1.AKAM.NET #A (Address) 212.187.244.35
127.0.0.1 EUR2.AKAM.NET #A (Address) 212.187.169.152
127.0.0.1 NS1-137.AKAM.NET #A (Address) 193.108.91.137
127.0.0.1 NS1-2.AKAM.NET #A (Address) 193.108.91.2
127.0.0.1 NS1-3.AKAM.NET #A (Address) 193.108.91.3
127.0.0.1 NS1-42.AKAM.NET #A (Address) 193.108.91.42
127.0.0.1 USE1.AKAM.NET #A (Address) 65.163.234.133
127.0.0.1 USE3.AKAM.NET #A (Address) 64.14.76.206

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #6 on: May 21, 2013, 03:14:20 PM »
Paste the following into your HOSTS file in \Windows\System32\Drivers\etc

127.0.0.1 akamaitechnologies*
127.0.0.1 msgr.dlservice.microsoft.com
127.0.0.1 a209-247-153-150.deploy.akamaitechnologies.com
127.0.0.1 akamaitechnologies.com
127.0.0.1 a388.g.akamai.net
127.0.0.1 a917.g.akamai.net
127.0.0.1 a4.g.akamai.net
127.0.0.1 yd.akamai.com #A (Address) 63.215.198.103
127.0.0.1 ye.akamai.com #A (Address) 12.47.217.26
127.0.0.1 yf.akamai.com #A (Address) 216.32.118.14
127.0.0.1 yb.akamai.com #A (Address) 216.32.118.104
127.0.0.1 yc.akamai.com #A (Address) 209.246.46.48
127.0.0.1 yg.akamai.com #A (Address) 63.215.198.86
127.0.0.1 yh.akamai.com #A (Address) 63.146.179.79
127.0.0.1 access.akamai.com #A (Address) 80.67.70.18
127.0.0.1 mx1.akamai.com #A (Address) 80.67.70.12
127.0.0.1 mx2.akamai.com #A (Address) 80.67.70.14
127.0.0.1 mx3.akamai.com #A (Address) 63.116.109.19
127.0.0.1 EUR1.AKAM.NET #A (Address) 212.187.244.35
127.0.0.1 EUR2.AKAM.NET #A (Address) 212.187.169.152
127.0.0.1 NS1-137.AKAM.NET #A (Address) 193.108.91.137
127.0.0.1 NS1-2.AKAM.NET #A (Address) 193.108.91.2
127.0.0.1 NS1-3.AKAM.NET #A (Address) 193.108.91.3
127.0.0.1 NS1-42.AKAM.NET #A (Address) 193.108.91.42
127.0.0.1 USE1.AKAM.NET #A (Address) 65.163.234.133
127.0.0.1 USE3.AKAM.NET #A (Address) 64.14.76.206

polonus

Thank you I will do that, but first I want to see what happens when I turn of all automatic, and streaming updates.
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33111
  • malware fighter
Re: Port Scanning
« Reply #7 on: May 21, 2013, 03:24:47 PM »
The akamai excuse in the past was (2000);
Quote
Akamai said it does not scan end-user ports but that a glitch involving common personal firewall software and the latest version of the basic Internet transport protocol, HTTP 1.1, is causing false alarms that make it seem as if Akamai is sniffing around networked computers.

Yep, you are right. I also have a constant connection to akamai's running and constantly have this in my logs: a23-66-254-13.deploy.akamaitechnologies.com 23.66.254.13 via port 80

Sitevet results for the Akamai AS:

AS Name: AKAMAI-ASN1 Akamai International B.V.

IPs allocated: 1045376

Blacklisted URLs: 1486

Hosts...

...malicious URLs? Yes

...badware? Yes

...botnet C&C servers? No

...exploit servers? No

...Zeus botnet servers? No

...Current Events? Yes

...phishing servers? No

...spam servers? No

...spam bots? No

...spam activity? No


polonus
« Last Edit: May 21, 2013, 03:31:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #8 on: May 21, 2013, 03:43:35 PM »
The akamai excuse in the past was (2000);
Quote
Akamai said it does not scan end-user ports but that a glitch involving common personal firewall software and the latest version of the basic Internet transport protocol, HTTP 1.1, is causing false alarms that make it seem as if Akamai is sniffing around networked computers.

Yep, you are right. I also have a constant connection to akamai's running and constantly have this in my logs: a23-66-254-13.deploy.akamaitechnologies.com 23.66.254.13 via port 80

Sitevet results for the Akamai AS:

AS Name: AKAMAI-ASN1 Akamai International B.V.

IPs allocated: 1045376

Blacklisted URLs: 1486

Hosts...

...malicious URLs? Yes

...badware? Yes


polonus

That is a lot of IP address for one company.
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33111
  • malware fighter
Re: Port Scanning
« Reply #9 on: May 21, 2013, 04:30:46 PM »
Not too many addresses for a large content forwarding company, apparently also sitting on a lot of data...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: Port Scanning
« Reply #10 on: May 21, 2013, 08:54:46 PM »
In the log there are entries with "out" in the direction column. What this means is that these aren't incoming connections (these would have "in" there)  and therefore it couldn't ever be a port scan.

Cheers, Lukáš.

Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #11 on: May 21, 2013, 09:23:40 PM »
In the log there are entries with "out" in the direction column. What this means is that these aren't incoming connections (these would have "in" there)  and therefore it couldn't ever be a port scan.

Cheers, Lukáš.

I know the direction is out.  Obviously the firewall is blocking it.

I can't understand why this is happening, because Avast allows Akamai to establish connections in Network Connections.

What I'm worried about is that Akamai is using my computer for storage and downloads to other computers, and I can't do anything about it.  I can't even tell Avast to block the connection, because the IP address is constantly changing.
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: Port Scanning
« Reply #12 on: May 21, 2013, 09:53:02 PM »
Johnny, what you see are packets that are part of the outgoing connections from you computer to Akamai. Most probably these are packets belonging to connections that have just been terminated. Avast FW shouldn't in fact be reporting these, those might be retransmited packets or RST packets that would normally be part of the traffic (or happen after the traffic was terminated). I guess we are incorrectly reporting these here (and possibly also incorrectly block them) when in fact the FW should for some short period of time (just after the connection has been terminated) allow these packets to go through - since they are regular part of the TCP traffic, albeit ending one. In our internal builds, this behavior has already been improved.


Your fear about Akamai using your PC as a backup host is completely false. They don't do this. Akamai is well respected content delivery network (one of the largest in the world), used by large companies (such as Microsoft - as mentioned before) and secondly, these are really outgoing connections, so they were initiated by your computer and not the other way around.


Blocking Akamai, as suggested by polunus, unless you have strong reasons to do so, might disrupt all kinds of things during your regular PC usage (starting from Windows update, going via various software updates - adobe reader, flash, etc. and ending with various web sites). Even Avast, I guess, might host some (static) web content on Akamai servers - they have many servers all around the world, so that you can always connect to the one closest and fastest to you - that's what this service is about.


To sum up: most probably these are regular packets that should not be reported in this log. We are trying to figure what these cases are and fix them for the upcoming builds. Sorry.


Lukas.


Offline Johnny4745

  • Sr. Member
  • ****
  • Posts: 271
Re: Port Scanning
« Reply #13 on: May 21, 2013, 10:58:43 PM »
Johnny, what you see are packets that are part of the outgoing connections from you computer to Akamai. Most probably these are packets belonging to connections that have just been terminated. Avast FW shouldn't in fact be reporting these, those might be retransmited packets or RST packets that would normally be part of the traffic (or happen after the traffic was terminated). I guess we are incorrectly reporting these here (and possibly also incorrectly block them) when in fact the FW should for some short period of time (just after the connection has been terminated) allow these packets to go through - since they are regular part of the TCP traffic, albeit ending one. In our internal builds, this behavior has already been improved.


Your fear about Akamai using your PC as a backup host is completely false. They don't do this. Akamai is well respected content delivery network (one of the largest in the world), used by large companies (such as Microsoft - as mentioned before) and secondly, these are really outgoing connections, so they were initiated by your computer and not the other way around.


Blocking Akamai, as suggested by polunus, unless you have strong reasons to do so, might disrupt all kinds of things during your regular PC usage (starting from Windows update, going via various software updates - adobe reader, flash, etc. and ending with various web sites). Even Avast, I guess, might host some (static) web content on Akamai servers - they have many servers all around the world, so that you can always connect to the one closest and fastest to you - that's what this service is about.


To sum up: most probably these are regular packets that should not be reported in this log. We are trying to figure what these cases are and fix them for the upcoming builds. Sorry.


Lukas.

Thank you for the explanation.  I'm sure Akamai is a well respected company, but after rereading the FAQs on Akamai's website, I see that it's their clients that can use a person's computer for storage, and downloading files to other computers.

Akamai says this feature has to be enabled, but from the Yahoo searches I have done, there are many people that have Net Session on their computers and don't know it, and don't know it's enabled.



What is the Akamai NetSession Interface?

The Akamai NetSession Interface is a secure application that may be installed on your computer to improve the speed, reliability, and efficiency for downloads and streams from the Internet. It is used by many software and media publishers to deliver files or streams to you.

If the software or media publisher uses the feature and if you enable it, NetSession can also use a small amount of your upload bandwidth to enable other users of the NetSession Interface to download pieces of the publisher's content from your computer.

http://www.akamai.com/html/solutions/client_faq.html
Compaq-Presario-AMD Athlon, 2700 Mhz-2GB RAM-1 Core-Windows 7 HP SP1 32 bit-Avast IS 8.0.1489
Windows Firewall on, Avast Firewall on, Router Firewall on.  Firefox-NoScript-Better Privacy extensions.

Offline AtlBo

  • Newbie
  • *
  • Posts: 19
Re: Port Scanning
« Reply #14 on: May 10, 2014, 12:15:03 AM »
Your fear about Akamai using your PC as a backup host is completely false. They don't do this. Akamai is well respected content delivery network (one of the largest in the world), used by large companies (such as Microsoft - as mentioned before) and secondly, these are really outgoing connections, so they were initiated by your computer and not the other way around.


Blocking Akamai, as suggested by polunus, unless you have strong reasons to do so, might disrupt all kinds of things during your regular PC usage (starting from Windows update, going via various software updates - adobe reader, flash, etc. and ending with various web sites). Even Avast, I guess, might host some (static) web content on Akamai servers - they have many servers all around the world, so that you can always connect to the one closest and fastest to you - that's what this service is about.


To sum up: most probably these are regular packets that should not be reported in this log. We are trying to figure what these cases are and fix them for the upcoming builds. Sorry.

Revisiting this today, because something tried to connect to the internet from my computer to an Akamai server in the name of a batch file I have created.  This batch file starts another batch file, which in turn performs an edit.  The batch files have nothing whatsoever to do with the internet, and I blocked the attempt with my firewall.  Strangest, the connection was a System connection, which means whatever did this was using a system process whose connection is vital.

I am not so sure about this statement quoted above.  Just because they do business with Microsoft or anyone else doesn't mean there can't be something strange going at Akamai

Big companies and especially security companies that are net dependent need to get out from behind these data management services, so that users can easily identify what is happening at any time with their internet connection and with their private and personal information.  We also need much better montoring software, so that we can monitor what is being uploaded off of our systems.

For anyone interested, the initial post in this thread is interesting:

http://forum.avast.com/index.php?topic=112353.0

This might be an old topic, but obviously it's not a dead one...