Jump to content

LIden Servers port scanning


Sidney Dionysus
 Share

You are about to reply to a thread that has been inactive for 4526 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Ok.  I've been trying to determin why I"m making a mistake here, but I don't think I am.  My comptuer is being port scanned by Linden labs.  Why is this happening?  It only happens while I'm on line with my toon, never any other time.  I'm 90% this is not melicious, but...  I can't think of any GOOD reason to for anyone to be poking at my firewall.

 

Can anyone tell me why this might be happening?  It's annoying and concerning.

Link to comment
Share on other sites

This, from the LL Privacy Policy, might explain it:


If you install or use Second Life software, we collect and aggregate a variety of data to monitor system and simulation performance, and to verify your unique identity. This includes specific and general information about your computer hardware and Internet connection, which are stored together but are not personally identifiable.



Link to comment
Share on other sites

Yes, but...  Port scanning?  I'm no expert, but the function of a post scan is to see if there are any openings to your system though which once computer have access to another computer without the owner of the 'victim' computer nessessarily even knowing it.  Most people I know of consider port scanning an attack -- includeing me.  Their software is free to LIMITED data, but I did NOT grant LL free and easy acess to my tax records and Quicken data!  They need to stay off my computer.

 

I suppose it could be argued that they are looking for weaknesses in my firewall so that can read my files and learn about my video cards, etc -- but just ask!!!  I'm happy to provide any of that stuff.  But don't try to trapse around my system uninvited and look for any damn thing you want.  Not even remotely cool.

Link to comment
Share on other sites

Why am I getting attitude?  Should I not be concnerned when my LEGEITMATE comercial firewall recommends I premantly ban that server?  When emerald was doing funny stuff I dropped them like a hot potato.

 

I don't know if that 'cancel all accounts' was supposed to be a threat, but it's a funny one because that is EXACTLY what I'll do if I don't hear a damn good reason to be attacked like this!

 

Now somebody get serious and tell me what they hell they want to know so I can either provide it for them or pull the hell out of sl.

Link to comment
Share on other sites

I'm sorry if I read those responses wrong.  But I'm serious about this.  I am DONE with sl if this keeps happening.  A simple explanation may be enough to convince me it's ok, but right now i'm feeling violated and vulnerable. They in no way warned me this kind of thing might happen.  Even terms of service made me feel they were protecting me.

 

I'm not being unreasonable.  I feel entitled to an explanation. 

Link to comment
Share on other sites


Sidney Dionysus wrote:

Yes, but...  Port scanning?  I'm no expert, but the function of a post scan is to see if there are any openings to your system though which once computer have access to another computer without the owner of the 'victim' computer nessessarily even knowing it.  Most people I know of consider port scanning an attack -- includeing me.  Their software is free to LIMITED data, but I did NOT grant LL free and easy acess to my tax records and Quicken data!  They need to stay off my computer.

 

I suppose it could be argued that they are looking for weaknesses in my firewall so that can read my files and learn about my video cards, etc -- but just ask!!!  I'm happy to provide any of that stuff.  But don't try to trapse around my system uninvited and look for any damn thing you want.  Not even remotely cool.

Talk about jumping to conclusions. Port scanning is the equivalent of standing on the sidewalk and taking note of where the doors and windows are on a house. Nobody said anything about LL trying to break into your computer and steal your tax records.

What makes you so shure it even is a port scan? Last I checked the viewer and the grid had some pretty legitimate reasons to talk to each other and as you said yourself this only happens when you're logged in. There's no rule that says the viewer that has to initiate all communications.

Link to comment
Share on other sites

I don't believe this!

If it get port scanned from a server in Russia, everybody is scrambling to lock them out.  But if it's in tennessee (where this server is located, I googled it) no harm no fowl.  We all love second life, I'm not bad mouthing them.  But if they are going to be doing this, they need to explain themselves!  It may be nothing, or it may be a rogue employee that THEY would like to know about!

Am I jumping to conclusion?  Yes!  Havn't been offered enough data to jump to anything else!  Somebody set up a bunch of cameras on my doors and windows, offered no explantionan whatsoever, and when I ask what they are doing...  I'm the unreasonable one?  Really?

Let me put it in perspective for you.  If they are port scanning me, they are probably port scanning YOU.  You might not have even known.  Are you ok with that?   Don't worry, they are going though your pockets and checking all your doors and windows to see if they are unlocked, but it's LL.  So don't worry about it.  It's just a huge organization of people who you don't know, hiring strangers THEY don't know, and giving them the keys to YOUR house.

If that doesn't concern you, it certainly should!

And I know they are doing it because Intego VirusBarrier X6 keeps catching them at it.  Not once, but four times so far.  A commercial product who recomends 'permanatly blocking' all traffic from that address.

All I want is an expalnation.  Maybe I should open a ticket, but I thought others might want look into this as well.

Link to comment
Share on other sites

What are you using to detect the port scan?

The SL Viewer and servers use a number of ports

Port Protocol Used For
53 UDP and TCP DNS lookup
80 TCP Second Life web resources
443 TCP Second Life web resources/client authentication
3478 UDP Voice/STUN traffic
3479 UDP Voice/STUN traffic
5060 UDP Voice/SIP traffic
5062 UDP Voice/SIP traffic
12000-29999 UDP Voice/RTP traffic/Core protocol communication ** (see note below)
12043 UDP and TCP Capabilities/map services/simulator communication
12046 TCP Texture downloading
21002 TCP Voice signaling

What checks have you made to assure someone is not spoofing you as LL?

Microsoft on port scan detection - Telling the difference between malicious and normal port scans is not a simple thing. 

We also have had a bug increasing network trafic from servers. That has been corrected but I don't remember if it has made it to the grid. It make take another week or two. Whether that is what you are seeing or not I have no clue. The Lindens did not asy what the additional traffic consisted of...

Also this is the forum where mostly SL users are going to respond to you. If you think something is really going on, call support.

Link to comment
Share on other sites


Sidney Dionysus wrote:

Let me put it in perspective for you.  If they are port scanning me, they are probably port scanning YOU.  You might not have even known.  Are you ok with that?

As some one that knows how TCP/IP works and has done a few port scans themselves all I can say is so what? Port scans can be used for more than stealing your tax records. Read up on what nmap can do.


Don't worry, they are going though your pockets and checking all your doors and windows to see if they are unlocked, but it's LL.  So don't worry about it.  It's just a huge organization of people who you don't know, hiring strangers THEY don't know, and giving them the keys to YOUR house.

If that doesn't concern you, it certainly should!

And I know they are doing it because Intego VirusBarrier X6 keeps catching them at it.  Not once, but four times so far.  A commercial product who recomends 'permanatly blocking' all traffic from that address.

All I want is an expalnation.  Maybe I should open a ticket, but I thought others might want look into this as well.

How do you know that LL is trying to steal your tax records? How do you know they're trying to steal anything? So far all you know is that machines owned by LL are attempting to connect to your machine, nothing else. Have you used a packet sniffer to see what LL is sending? Or are you just jumping to conclusions and making up alarmist hyperbole?

 

 

Link to comment
Share on other sites

THANK you.  I only want to know what is going on.  I'm really not on a 'crusade.'  I love SL and don't want to leave, but this is new and scary.

I've done little, letting my software do it.  I'm really not sure its even coming from sl, but it does catch an IP address that when popped into google comes up as a Linden Labs server in Tennasee.  I'm no expert, could someone be using that as a proxy or something?  Also, it only seems to happen when my browswer is open and I think (I'm not 100% on this) but after I do a purchase on the web site then recieving it in sl.  For all I know it's a perfectly normal function.  But I don't know, so I asked.

I'm using firestorm, because I have a MacBook Pro and that was the only browser that worked on this computer (I can give a more detail on that if you think it's relevant).  Maybe LL is sensing something funky about the software.  I was one of the ones who went though the 'Emerald' experience.   (I hope that is not the case, the default browsers don't work with my graphic card.)

Do you have any advice on how I might detect spoofing?  (On a Mac.)

Link to comment
Share on other sites

I saw some really crazy stuff earlier this week becuase of the bug Natales mentioned. There was so much extra traffic being created by LL's servers that I had to clear my internet traffic log because of the HUGE increase in size.

In fact, it was so bad that it would not surprise me if some equipment on LL's end thought there might have been some sort of attack going on. That, in turn, might have triggered something on their end that resulted in port scans, it is tough to say.

The moral of this story is I would wait before I did anything if I were you. The bug has been fixed and rolled out, so it is quite possible the port scans will not reoccur. Don't make any decisions based on anything the grid did last week.

 

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 4526 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...