LIden Servers port scanning

[Sidney Dionysus]

Ok.  I've been trying to determin why I"m making a mistake here, but I don't think I am.  My comptuer is being port scanned by Linden labs.  Why is this happening?  It only happens while I'm on line with my toon, never any other time.  I'm 90% this is not melicious, but...  I can't think of any GOOD reason to for anyone to be poking at my firewall.

 

Can anyone tell me why this might be happening?  It's annoying and concerning.

[Innula Zenovka]

This, from the LL Privacy Policy, might explain it:

---

If you install or use Second Life software, we collect and aggregate a variety of data to monitor system and simulation performance, and to verify your unique identity. This includes specific and general information about your computer hardware and Internet connection, which are stored together but are not personally identifiable.

---

[Sidney Dionysus]

Yes, but...  Port scanning?  I'm no expert, but the function of a post scan is to see if there are any openings to your system though which once computer have access to another computer without the owner of the 'victim' computer nessessarily even knowing it.  Most people I know of consider port scanning an attack -- includeing me.  Their software is free to LIMITED data, but I did NOT grant LL free and easy acess to my tax records and Quicken data!  They need to stay off my computer.

 

I suppose it could be argued that they are looking for weaknesses in my firewall so that can read my files and learn about my video cards, etc -- but just ask!!!  I'm happy to provide any of that stuff.  But don't try to trapse around my system uninvited and look for any damn thing you want.  Not even remotely cool.

[Innula Zenovka]

As Wikipedia puts it, 

---

The information gathered by a port scan has many legitimate uses including network inventory and the verification of the security of a network. Port scanning can, however, also be used to compromise security. 

---

So I guess it depends on what you think LL are looking for and what they're doing with the information.

[Kristin Burner]

mew

 

If you think they are committing an illegal act to compromise your systems security and steal sensitive information, you should contact the right law agency and have charges brought up against them then.

Good luck with that

I would suggest you cancel all your accounts to

[Sidney Dionysus]

Why am I getting attitude?  Should I not be concnerned when my LEGEITMATE comercial firewall recommends I premantly ban that server?  When emerald was doing funny stuff I dropped them like a hot potato.

 

I don't know if that 'cancel all accounts' was supposed to be a threat, but it's a funny one because that is EXACTLY what I'll do if I don't hear a damn good reason to be attacked like this!

 

Now somebody get serious and tell me what they hell they want to know so I can either provide it for them or pull the hell out of sl.

[Sidney Dionysus]

I'm sorry if I read those responses wrong.  But I'm serious about this.  I am DONE with sl if this keeps happening.  A simple explanation may be enough to convince me it's ok, but right now i'm feeling violated and vulnerable. They in no way warned me this kind of thing might happen.  Even terms of service made me feel they were protecting me.

 

I'm not being unreasonable.  I feel entitled to an explanation. 

[leliel Mirihi]

---

Sidney Dionysus wrote:

Yes, but...  Port scanning?  I'm no expert, but the function of a post scan is to see if there are any openings to your system though which once computer have access to another computer without the owner of the 'victim' computer nessessarily even knowing it.  Most people I know of consider port scanning an attack -- includeing me.  Their software is free to LIMITED data, but I did NOT grant LL free and easy acess to my tax records and Quicken data!  They need to stay off my computer.

 

I suppose it could be argued that they are looking for weaknesses in my firewall so that can read my files and learn about my video cards, etc -- but just ask!!!  I'm happy to provide any of that stuff.  But don't try to trapse around my system uninvited and look for any damn thing you want.  Not even remotely cool.

---

Talk about jumping to conclusions. Port scanning is the equivalent of standing on the sidewalk and taking note of where the doors and windows are on a house. Nobody said anything about LL trying to break into your computer and steal your tax records.

What makes you so shure it even is a port scan? Last I checked the viewer and the grid had some pretty legitimate reasons to talk to each other and as you said yourself this only happens when you're logged in. There's no rule that says the viewer that has to initiate all communications.

[Sidney Dionysus]

I don't believe this!

If it get port scanned from a server in Russia, everybody is scrambling to lock them out.  But if it's in tennessee (where this server is located, I googled it) no harm no fowl.  We all love second life, I'm not bad mouthing them.  But if they are going to be doing this, they need to explain themselves!  It may be nothing, or it may be a rogue employee that THEY would like to know about!

Am I jumping to conclusion?  Yes!  Havn't been offered enough data to jump to anything else!  Somebody set up a bunch of cameras on my doors and windows, offered no explantionan whatsoever, and when I ask what they are doing...  I'm the unreasonable one?  Really?

Let me put it in perspective for you.  If they are port scanning me, they are probably port scanning YOU.  You might not have even known.  Are you ok with that?   Don't worry, they are going though your pockets and checking all your doors and windows to see if they are unlocked, but it's LL.  So don't worry about it.  It's just a huge organization of people who you don't know, hiring strangers THEY don't know, and giving them the keys to YOUR house.

If that doesn't concern you, it certainly should!

And I know they are doing it because Intego VirusBarrier X6 keeps catching them at it.  Not once, but four times so far.  A commercial product who recomends 'permanatly blocking' all traffic from that address.

All I want is an expalnation.  Maybe I should open a ticket, but I thought others might want look into this as well.

[Nalates Urriah]

What are you using to detect the port scan?

The SL Viewer and servers use a number of ports. 

Port	Protocol	Used For
53	UDP and TCP	DNS lookup
80	TCP	Second Life web resources
443	TCP	Second Life web resources/client authentication
3478	UDP	Voice/STUN traffic
3479	UDP	Voice/STUN traffic
5060	UDP	Voice/SIP traffic
5062	UDP	Voice/SIP traffic
12000-29999	UDP	Voice/RTP traffic/Core protocol communication ** (see note below)
12043	UDP and TCP	Capabilities/map services/simulator communication
12046	TCP	Texture downloading
21002	TCP	Voice signaling

What checks have you made to assure someone is not spoofing you as LL?

Microsoft on port scan detection - Telling the difference between malicious and normal port scans is not a simple thing. 

We also have had a bug increasing network trafic from servers. That has been corrected but I don't remember if it has made it to the grid. It make take another week or two. Whether that is what you are seeing or not I have no clue. The Lindens did not asy what the additional traffic consisted of...

Also this is the forum where mostly SL users are going to respond to you. If you think something is really going on, call support.

[leliel Mirihi]

---

Sidney Dionysus wrote:

Let me put it in perspective for you.  If they are port scanning me, they are probably port scanning YOU.  You might not have even known.  Are you ok with that?

---

As some one that knows how TCP/IP works and has done a few port scans themselves all I can say is so what? Port scans can be used for more than stealing your tax records. Read up on what nmap can do.

---

Don't worry, they are going though your pockets and checking all your doors and windows to see if they are unlocked, but it's LL.  So don't worry about it.  It's just a huge organization of people who you don't know, hiring strangers THEY don't know, and giving them the keys to YOUR house.

If that doesn't concern you, it certainly should!

And I know they are doing it because Intego VirusBarrier X6 keeps catching them at it.  Not once, but four times so far.  A commercial product who recomends 'permanatly blocking' all traffic from that address.

All I want is an expalnation.  Maybe I should open a ticket, but I thought others might want look into this as well.

---

How do you know that LL is trying to steal your tax records? How do you know they're trying to steal anything? So far all you know is that machines owned by LL are attempting to connect to your machine, nothing else. Have you used a packet sniffer to see what LL is sending? Or are you just jumping to conclusions and making up alarmist hyperbole?

 

 

[Sidney Dionysus]

THANK you.  I only want to know what is going on.  I'm really not on a 'crusade.'  I love SL and don't want to leave, but this is new and scary.

I've done little, letting my software do it.  I'm really not sure its even coming from sl, but it does catch an IP address that when popped into google comes up as a Linden Labs server in Tennasee.  I'm no expert, could someone be using that as a proxy or something?  Also, it only seems to happen when my browswer is open and I think (I'm not 100% on this) but after I do a purchase on the web site then recieving it in sl.  For all I know it's a perfectly normal function.  But I don't know, so I asked.

I'm using firestorm, because I have a MacBook Pro and that was the only browser that worked on this computer (I can give a more detail on that if you think it's relevant).  Maybe LL is sensing something funky about the software.  I was one of the ones who went though the 'Emerald' experience.   (I hope that is not the case, the default browsers don't work with my graphic card.)

Do you have any advice on how I might detect spoofing?  (On a Mac.)

[Sidney Dionysus]

Leliel I don't think they are after my records.  I don't know what they are after.  That is kind of the point.  I don't know, and when I asked, people got crappy with me.  YOU got crappy with me.  I don't really know why. 

[leliel Mirihi]

Sorry but you kind of sounded like a little old lady calling the cops on some teenagers that were walking down the street just because they were dressed funny. Your first assumption probably shouldn't have been that LL was trying to hack your computer and steal all your info.

[Sidney Dionysus]

Well, I apologise for that.  That was not my intent.  It just once and I blew it off.  The two more times in quick succession.  While I was typing that message it happened a forth time.  I didn't think I went off half cocked, there was a serious pattern by the time I posted.

[Triple Peccable]

I saw some really crazy stuff earlier this week becuase of the bug Natales mentioned. There was so much extra traffic being created by LL's servers that I had to clear my internet traffic log because of the HUGE increase in size.

In fact, it was so bad that it would not surprise me if some equipment on LL's end thought there might have been some sort of attack going on. That, in turn, might have triggered something on their end that resulted in port scans, it is tough to say.

The moral of this story is I would wait before I did anything if I were you. The bug has been fixed and rolled out, so it is quite possible the port scans will not reoccur. Don't make any decisions based on anything the grid did last week.

 

[CherryPie69 Juneberry]

Linden Lab can scan my ports anytime! (had to say it) :matte-motes-kiss:

[Sidney Dionysus]

That's what I'll do.  It hasn't happened in over a day now.  Must have been a one time thing.