Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
11/24/2017 4:44:23 PM
11/22/2017 10:05:29 PM
Arrow Left Previous Page
Page / 2
Posted: 10/12/2004 7:21:40 PM EST
Seriously, I am being port scanned about 1X per minute. Once I leave the site, scanners stop.
Link Posted: 10/12/2004 7:24:26 PM EST
What kind of Internet connection do you have?

I'm on cable modem and up 7/24. My firewall blocks hundreds of access attempts per day. My ISP scans ports occasionally looking for open mail servers, NNTP servers, etc.
Link Posted: 10/12/2004 7:24:32 PM EST
A firewall is a wonderful thing to have in that situation.
Link Posted: 10/12/2004 7:26:13 PM EST
How can you tell?

Sorry, but I'm net-clueless.....
Link Posted: 10/12/2004 7:26:16 PM EST
Any port in particular?
Link Posted: 10/12/2004 7:27:52 PM EST
ALL YOUR PORTS ARE BELONG TO US
Link Posted: 10/12/2004 7:30:48 PM EST
No, but I have my logging turned off. I know if someone gets in they earned it.
Link Posted: 10/12/2004 7:34:25 PM EST
gubmint
Link Posted: 10/12/2004 8:25:12 PM EST
I remeber when Imbro posted about the CIA port scanning him from here .
Link Posted: 10/12/2004 8:29:20 PM EST
I have Port 69 open... come on in.
Link Posted: 10/12/2004 8:34:26 PM EST
[Last Edit: 10/13/2004 2:34:06 AM EST by Noname]
IIRC ILL and TRG hold the record here for the most "scanned" ports...

<­BR>

...!
Link Posted: 10/12/2004 8:46:47 PM EST
WTF are you talking about?
Link Posted: 10/12/2004 8:52:57 PM EST
hahahha yeah dont bend over or the CIA will bust a quickie port scan on you to see if you really did take that boating trip last weekend
Link Posted: 10/12/2004 8:54:27 PM EST
[Last Edit: 10/12/2004 8:54:58 PM EST by Lazyshooter]
Used to happen, but not anymore, and never in the volume you describe.
Link Posted: 10/12/2004 8:55:45 PM EST
Same thing here. I get on ARFcom and I get scanned like crazy. Thank God for Black Ice.
Link Posted: 10/12/2004 8:59:06 PM EST

Originally Posted By Trainman:
WTF are you talking about?



What are ports?

Ports are used by a computer to control which service is accessed when establishing a connection. If you are communicating with Secure Design for example and you are sending e-mail, your computer establishes a connection to port 25 (SMTP) however if you are accessing a web page, you must connect to port 80 (http). Ports on a computer range from 1 to 65535. Ports under 1024 are reserved for system processes such as mail and web servers. Ports above 1024 are often used for outbound connections.

What is port scanning?

When establishing a connection to a server, your computer specifies the server address and the target port number. When the request is made, the server responds by allowing the connection or responding with a "port closed" message.

Port scanning is a method of probing a computer to see what ports are open. This is usually a brute force operation where one simply tries to establish a connection to each and every port on the target computer. When a connection is established, the caller makes note of the port number and continues on. The caller can then examine these ports later to see if any known security holes exist.
Link Posted: 10/12/2004 9:54:48 PM EST

Originally Posted By Flushdraw:
Same thing here. I get on ARFcom and I get scanned like crazy. Thank God for Black Ice.


W3rd Chummer.
Link Posted: 10/12/2004 10:06:18 PM EST
So, the question beggs.

What port and why and where is the scan coming from?
Link Posted: 10/12/2004 10:08:16 PM EST
Link Posted: 10/12/2004 10:12:15 PM EST

Originally Posted By M4_Aiming_at_U:
Does Mozilla Fireafox prevent this sort of thing?



any firewall should do it. Is firefox a firewall?
Link Posted: 10/13/2004 12:10:58 AM EST
Had my router stop recording them.

Link Posted: 10/13/2004 1:53:12 AM EST
Link Posted: 10/13/2004 3:06:01 AM EST

Originally Posted By gaspain:
So, the question beggs.

What port and why and where is the scan coming from?



216.77.188.54

64.233.161.104


69.95.2.77

Link Posted: 10/13/2004 3:08:05 AM EST
[Last Edit: 10/13/2004 3:09:07 AM EST by rn45]
Okay. Now for the stupid question. How do I know when I'm being scanned and how do I prevent it? I have a router and a firewall. Is that enough?

BTW Headlice, have you ever considered getting a new sign on name?
Link Posted: 10/13/2004 3:10:48 AM EST

Originally Posted By Headlice:
Seriously, I am being port scanned about 1X per minute. Once I leave the site, scanners stop.



What Port(s)?

Can you post a sanitized version of your logfile that excludes your machine's info but shows Source, Destination and Time?
Link Posted: 10/13/2004 3:12:04 AM EST
The good news is that those IP's are too high to be a gubmint addy.

64.233.161.104 - Resolved to a google IP. Do you have the google toolbar utility? Every now and again my work firewall logs searches through the google toolbar as a port scan for some reason.
Link Posted: 10/13/2004 3:13:08 AM EST
This one time at Gunstock The RedGoat scanned me ports....


SGatr15
Link Posted: 10/13/2004 3:15:13 AM EST

Originally Posted By Stillie:
The good news is that those IP's are too high to be a gubmint addy.

64.233.161.104 - Resolved to a google IP. Do you have the google toolbar utility? Every now and again my work firewall logs searches through the google toolbar as a port scan for some reason.



Why would Google be trying an application hi jack ???
Link Posted: 10/13/2004 3:15:56 AM EST

Originally Posted By cyanide:

Originally Posted By Stillie:
The good news is that those IP's are too high to be a gubmint addy.

64.233.161.104 - Resolved to a google IP. Do you have the google toolbar utility? Every now and again my work firewall logs searches through the google toolbar as a port scan for some reason.



Why would Google be trying an application hi jack ???




G-mail?


SGatr15
Link Posted: 10/13/2004 3:17:52 AM EST
[Last Edit: 10/13/2004 3:18:47 AM EST by Stillie]

Originally Posted By cyanide:

Originally Posted By Stillie:
The good news is that those IP's are too high to be a gubmint addy.

64.233.161.104 - Resolved to a google IP. Do you have the google toolbar utility? Every now and again my work firewall logs searches through the google toolbar as a port scan for some reason.



Why would Google be trying an application hi jack ???



It wasn't, but for some reason the firewall here at work recorded it as a scan. It only did it when I used Google's toolbar extension for IE.

I've had no problems with the same function at home. Probably just something with the settings on the hardware firewall here at work.
Link Posted: 10/13/2004 3:18:31 AM EST

Originally Posted By cyanide:

Originally Posted By gaspain:
So, the question beggs.

What port and why and where is the scan coming from?



216.77.188.54

64.233.161.104


69.95.2.77




My log is showing 69.95.2.66 as well as some others in the 218.83.x.x range.
Link Posted: 10/13/2004 3:18:47 AM EST
I have ZoneAlarm firewall and I get hit all the time in port scans....best thing I ever did was getting the firewall...I have a log of hits...since I installed it I have had about 100,000 hits in scans....that is since August...
Link Posted: 10/13/2004 4:02:41 AM EST
RBAD is looking for porn again.
Link Posted: 10/13/2004 4:06:30 AM EST
[Last Edit: 10/13/2004 4:08:06 AM EST by AssaultRifler]

Originally Posted By Flushdraw:
Same thing here. I get on ARFcom and I get scanned like crazy. Thank God for Black Ice.



my windows box is hanging off my Red Hat Linux acting as an internet gateway and which has iptables configured as a firewall, anything else that makes it to Windows side gets chewed up and spit out by Zone Alarm.

To top that off I have the corporate edition of Norton Antil Virus doing nightly virus scans and real time virus protection, and about once a week I run Ad Adware.
Link Posted: 10/13/2004 7:20:39 AM EST
K guys, sorry for the long delay in the reply.

I am at school right now and dont have acess to my pc to check my security log. Ill do it when I get home and post for ya. Ill also check to see if my firewall specifies the port being scanned...will post approximately 12:30PM Central on 10/13/2004.

Basically, I have a dial-up but am still being scanned (not like they would want anything with my connection...).

No I do not have a google toolbar
Link Posted: 10/13/2004 10:12:11 AM EST
ok, a little later than I estimated. I dont know why I said 12:30, I meant 2:30.

here is the address doing the scanning: 67.200.25.33

Your computer's TCP ports:
2082, 2745, 1025, and 6129 have been scanned from 67.200.25.33

Well, I think that is all of the info you guys were asking.

BTW, the scans have stopped as far as I can tell. For now, at least....
Link Posted: 10/13/2004 10:42:36 AM EST
[Last Edit: 10/13/2004 10:43:33 AM EST by Daggar]
If you are browsing websites you may get hit with a bit of additional traffic from the websites visited. Doesn't mean they are scanning you. BlackICE is probably the worst offender in the "If you constantly broadcast hits you prove the product works" mentality of software firewalls. I would consider most of the hits on a firewall simple background noise. Unless you see concerted hits, maybe 10 plus from the same source in just a few minutes forget about it. It's easy to worry when you see alot of traffic in your logs but realize everything logged was blocked.

Here is the last 1.5 hours of my logs:

time:Oct 13 12:01:10 in:eth0 out: port:5554 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 12:01:11 in:eth0 out: port:1023 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 12:01:13 in:eth0 out: port:9898 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 12:19:32 in:eth0 out: port:9898 source:80.37.101.199 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 12:19:32 in:eth0 out: port:5554 source:80.37.101.199 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 13:34:47 in:eth0 out: port:4899 source:66.161.245.42 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown
time:Oct 13 13:35:18 in:eth0 out: port:1433 source:206.111.200.130 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:ms-sql-s
Link Posted: 10/13/2004 2:36:17 PM EST
[Last Edit: 10/13/2004 2:42:44 PM EST by gaspain]
wheres some info on the IP's doing the scanning


Search results for: 67.200.25.33


OrgName: UUNET Technologies, Inc.
OrgID: UUDA
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US

NetRange: 67.192.0.0 - 67.255.255.255
CIDR: 67.192.0.0/10
NetName: UUNET01DU
NetHandle: NET-67-192-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: DIALDNS1.UU.NET
NameServer: DIALDNS2.UU.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-09-13
Updated: 2002-03-25

TechHandle: OA12-ARIN
TechName: UUnet Technologies, Inc., Technologies
TechPhone: +1-800-900-0241
TechEmail: help4u@mci.com

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-900-0241
OrgAbuseEmail: abuse-mail@mci.com

OrgNOCHandle: OA12-ARIN
OrgNOCName: UUnet Technologies, Inc., Technologies
OrgNOCPhone: +1-800-900-0241
OrgNOCEmail: help4u@mci.com

OrgTechHandle: SWIPP-ARIN
OrgTechName: swipper
OrgTechPhone: +1-800-900-0241
OrgTechEmail: swipper@mci.com

# ARIN WHOIS database, last updated 2004-10-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.





Search results for: 216.77.188.54


OrgName: BellSouth.net Inc.
OrgID: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

NetRange: 216.76.0.0 - 216.79.255.255
CIDR: 216.76.0.0/14
NetName: BELLSNET-BLK5
NetHandle: NET-216-76-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
Comment:
Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 1998-09-15
Updated: 2003-05-05

AbuseHandle: ABUSE81-ARIN
AbuseName: Abuse Group
AbusePhone: +1-404-499-5224
AbuseEmail: abuse@bellsouth.net

TechHandle: JG726-ARIN
TechName: Geurin, Joe
TechPhone: +1-404-499-5240
TechEmail: ipoperations@bellsouth.net

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-499-5224
OrgAbuseEmail: abuse@bellsouth.net

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: ipoperations@bellsouth.net

# ARIN WHOIS database, last updated 2004-10-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.





OrgName: Google Inc.
OrgID: GOGL
Address: 2400 E. Bayshore Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 64.233.160.0 - 64.233.191.255
CIDR: 64.233.160.0/19
NetName: GOOGLE
NetHandle: NET-64-233-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2003-08-18
Updated: 2004-03-05

TechHandle: ZG39-ARIN
TechName: Google Inc.
TechPhone: +1-650-318-0200
TechEmail: arin-contact@google.com

OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: +1-650-318-0200
OrgTechEmail: arin-contact@google.com

# ARIN WHOIS database, last updated 2004-10-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.




Choice One Communications Inc CHOICE-ONE-COMMUNICATIONS (NET-69-95-0-0-1)
69.95.0.0 - 69.95.127.255
Choice one Internal CHOICE-ONE-COMMUNICATION (NET-69-95-2-0-1)
69.95.2.0 - 69.95.2.225

# ARIN WHOIS database, last updated 2004-10-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.







hmm....curious
Link Posted: 10/13/2004 2:38:43 PM EST
NS.BELLSOUTH.NET


who is this ???
Link Posted: 10/13/2004 2:43:22 PM EST
[Last Edit: 10/13/2004 2:46:09 PM EST by gaspain]

Originally Posted By cyanide:
NS.BELLSOUTH.NET


who is this ???



its a domain name resolution service...nothin to worry about? maybe?

OTOH what is "CHOICE-ONE-COMMUNICATIONS" that could be the AR15.com host?
Link Posted: 10/13/2004 2:51:04 PM EST
Run away fast
Link Posted: 10/13/2004 3:00:22 PM EST
Go here to run a full scan on your security...
Link Posted: 10/13/2004 3:10:09 PM EST

Originally Posted By Noname:
Go here to run a full scan on your security...



cool, link!! It says im "stealth" whoo hoo!
Link Posted: 10/13/2004 3:22:16 PM EST

Originally Posted By gaspain:

Originally Posted By Noname:
Go here to run a full scan on your security...



cool, link!! It says im "stealth" whoo hoo!



me too. it says I've achieved perfect stealth status.

I'm a black hole baby!
Link Posted: 10/13/2004 3:31:47 PM EST
That site is a trip. I got "Your system has achieved a perfect "TruStealth" rating" Im on dial-up with no firewall at all. Just a good A/V and ad-aware. Thats funny.
Link Posted: 10/13/2004 4:56:30 PM EST
here is some info


nmap -v -sS -P0 -O 216.77.188.54

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-13 20:57 EST
Host img.bellsouth.net (216.77.188.54) appears to be up ... good.
Initiating SYN Stealth Scan against img.bellsouth.net (216.77.188.54) at 20:57
Adding open port 80/tcp
The SYN Stealth Scan took 311 seconds to scan 1659 ports.
For OSScan assuming that port 80 is open and port 8888 is closed and neither are firewalled
For OSScan assuming that port 80 is open and port 8888 is closed and neither are firewalled
For OSScan assuming that port 80 is open and port 8888 is closed and neither are firewalled
Interesting ports on img.bellsouth.net (216.77.188.54):
(The 1657 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
8888/tcp closed sun-answerbook
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.50%P=i686-pc-linux-gnu%D=10/13%Time=416DDE6B%O=80%C=8888)
TSeq(Class=TR%IPID=RD%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=N)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)


TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized

Nmap run completed -- 1 IP address (1 host up) scanned in 330.181 seconds




nmap -v -sS -O -P0 67.200.25.33

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-13 20:59 EST
Host 1Cust33.tnt1.random-lake.wi.da.uu.net (67.200.25.33) appears to be up ... good.
Initiating SYN Stealth Scan against 1Cust33.tnt1.random-lake.wi.da.uu.net (67.200.25.33) at 20:59
Adding open port 5101/tcp
The SYN Stealth Scan took 393 seconds to scan 1659 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 5101 is open and port 38646 is closed and neither are firewalled
For OSScan assuming that port 5101 is open and port 33243 is closed and neither are firewalled
For OSScan assuming that port 5101 is open and port 34286 is closed and neither are firewalled
Interesting ports on 1Cust33.tnt1.random-lake.wi.da.uu.net (67.200.25.33):
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
5101/tcp open admdog
Device type: general purpose
Running (JUST GUESSING) : Microsoft Windows NT/2K/XP (93%), FreeBSD 4.X|2.X|3.X (88%)
Aggressive OS guesses: Microsoft Windows 2000 Professional (93%), FreeBSD 4.1.1 - 4.3 (X86) (88%), Microsoft Windows 2000 SP1 (87%), FreeBSD 2.2.1 - 4.1 (86%), FreeBSD 3.4-RELEASE (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Class=random positive increments
Difficulty=9089 (Worthy challenge)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 456.139 seconds

Link Posted: 10/13/2004 5:49:33 PM EST
Please Stand By. . .

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet


Cool! I'd like to reply, but I don't exist!
Link Posted: 10/13/2004 6:39:01 PM EST
I emailed abuse-mail@mci.com and gave them the info yesterday on the scanner.
Link Posted: 10/13/2004 7:26:52 PM EST

Originally Posted By Headlice:
I emailed abuse-mail@mci.com and gave them the info yesterday on the scanner.


You might want to do a bit of reading on port scans before you get to worried about such things. MCI won't even give your email the time of day. The type of scans you are talking about are common and if you were on all day you would see hundreds of hits every day in your logs. It's simply a fact of life. Today alone I got 4231 hits on my firewall. Am I worried? No, that's why I have a firewall.
Link Posted: 10/13/2004 7:49:33 PM EST
[Last Edit: 10/13/2004 8:40:49 PM EST by Daggar]

Originally Posted By x5060:
here is some info

nmap -v -sS -P0 -O 216.77.188.54



Now THAT is a port scan. You may be doing it rather stealthily but if anything does show up in someone's logs, and it would show up in mine, your ISP would probably take a dim view of your curiosity.

Running that exact same scan on one of my comptures from a remote site gave me over 6493 hits that showed on my firewall logs. That's enough to draw the attention of any moderately observant computer literate person.
Link Posted: 10/14/2004 4:54:53 AM EST
I blocked

69.95.2.77

And I could not see anything from the ar15.com pic gallery

I unblock it and I see avatars and pics from the ar15.com gallery

why was the ar15.com ip trying to scan my computer ???

Rosebud.
Arrow Left Previous Page
Page / 2
Top Top