Protocol: TCP
Port: 5632
Description: pcAnywhere
Another possible source of tcp/22 probes is due to the fact that early
versions of pcAnywhere used this port
pcAnywhere is a remote control
utility from Symantec.
http://enterprisesecurity.symantec.com/products/products.cfm?productID=2
There are two classes of pcAnywhere scans:
On-subnet:
On-subnet scans originate from an IP address that is within your subnet. For
example, if your IP address is 10.1.1.1 and you receive a scan from 10.1.1.200.
These scans are less of a concern as they are likely generated by the pcAnywhere
application itself, not a hacker doing port scanning. When a user launches a
pcAnywhere viewer, it probes all IP addresses in the users subnet in order to
provide a list of available hosts.
This may be convienent for the user, but it will effectively trigger a port
scan alarm on all other users on that subnet. For this reason, we feel this
is poor feature which Symantec should disable. At a minimum, we feel pcAnywhere
should only do a subnet scan when connected to a private network and disable
this feature when connected to the Internet.
If you use pcAnywhere on an Internet connection, we recommend you disable this
behavior as follows:
Disabling pcAnywhere subnet scans
Off-subnet:
Off-subnet scans orginate for any IP address outside your subnet. For example,
if your IP address is 10.1.1.1 an off-subnet scan would orginate from 10.1.2.1.
Since pcAnywhere does not generate off-subnet scans, it is likely that such
scans are generated from a port scanner and are thus hostile.
|
