User Panel
Posted: 10/12/2004 8:21:40 PM EDT
Seriously, I am being port scanned about 1X per minute. Once I leave the site, scanners stop.
|
|
What kind of Internet connection do you have?
I'm on cable modem and up 7/24. My firewall blocks hundreds of access attempts per day. My ISP scans ports occasionally looking for open mail servers, NNTP servers, etc. |
|
No, but I have my logging turned off. I know if someone gets in they earned it.
|
|
I remeber when Imbro posted about the CIA port scanning him from here .
|
|
IIRC ILL and TRG hold the record here for the most "scanned" ports...
...! |
|
hahahha yeah dont bend over or the CIA will bust a quickie port scan on you to see if you really did take that boating trip last weekend
|
|
Used to happen, but not anymore, and never in the volume you describe.
|
|
Same thing here. I get on ARFcom and I get scanned like crazy. Thank God for Black Ice.
|
|
What are ports? Ports are used by a computer to control which service is accessed when establishing a connection. If you are communicating with Secure Design for example and you are sending e-mail, your computer establishes a connection to port 25 (SMTP) however if you are accessing a web page, you must connect to port 80 (http). Ports on a computer range from 1 to 65535. Ports under 1024 are reserved for system processes such as mail and web servers. Ports above 1024 are often used for outbound connections. What is port scanning? When establishing a connection to a server, your computer specifies the server address and the target port number. When the request is made, the server responds by allowing the connection or responding with a "port closed" message. Port scanning is a method of probing a computer to see what ports are open. This is usually a brute force operation where one simply tries to establish a connection to each and every port on the target computer. When a connection is established, the caller makes note of the port number and continues on. The caller can then examine these ports later to see if any known security holes exist. |
|
|
W3rd Chummer. |
|
|
So, the question beggs.
What port and why and where is the scan coming from? |
|
any firewall should do it. Is firefox a firewall? |
|
|
No, its a special browser. |
||
|
216.77.188.54 64.233.161.104 69.95.2.77 |
|
|
Okay. Now for the stupid question. How do I know when I'm being scanned and how do I prevent it? I have a router and a firewall. Is that enough?
BTW Headlice, have you ever considered getting a new sign on name? |
|
What Port(s)? Can you post a sanitized version of your logfile that excludes your machine's info but shows Source, Destination and Time? |
|
|
The good news is that those IP's are too high to be a gubmint addy.
64.233.161.104 - Resolved to a google IP. Do you have the google toolbar utility? Every now and again my work firewall logs searches through the google toolbar as a port scan for some reason. |
|
This one time at Gunstock The RedGoat scanned me ports....
SGatr15 |
|
Why would Google be trying an application hi jack ??? |
|
|
G-mail? SGatr15 |
||
|
It wasn't, but for some reason the firewall here at work recorded it as a scan. It only did it when I used Google's toolbar extension for IE. I've had no problems with the same function at home. Probably just something with the settings on the hardware firewall here at work. |
||
|
My log is showing 69.95.2.66 as well as some others in the 218.83.x.x range. |
||
|
I have ZoneAlarm firewall and I get hit all the time in port scans....best thing I ever did was getting the firewall...I have a log of hits...since I installed it I have had about 100,000 hits in scans....that is since August...
|
|
K guys, sorry for the long delay in the reply.
I am at school right now and dont have acess to my pc to check my security log. Ill do it when I get home and post for ya. Ill also check to see if my firewall specifies the port being scanned...will post approximately 12:30PM Central on 10/13/2004. Basically, I have a dial-up but am still being scanned (not like they would want anything with my connection...). No I do not have a google toolbar |
|
ok, a little later than I estimated. I dont know why I said 12:30, I meant 2:30.
here is the address doing the scanning: 67.200.25.33 Your computer's TCP ports: 2082, 2745, 1025, and 6129 have been scanned from 67.200.25.33 Well, I think that is all of the info you guys were asking. BTW, the scans have stopped as far as I can tell. For now, at least.... |
|
If you are browsing websites you may get hit with a bit of additional traffic from the websites visited. Doesn't mean they are scanning you. BlackICE is probably the worst offender in the "If you constantly broadcast hits you prove the product works" mentality of software firewalls. I would consider most of the hits on a firewall simple background noise. Unless you see concerted hits, maybe 10 plus from the same source in just a few minutes forget about it. It's easy to worry when you see alot of traffic in your logs but realize everything logged was blocked.
Here is the last 1.5 hours of my logs: time:Oct 13 12:01:10 in:eth0 out: port:5554 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 12:01:11 in:eth0 out: port:1023 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 12:01:13 in:eth0 out: port:9898 source:220.76.67.84 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 12:19:32 in:eth0 out: port:9898 source:80.37.101.199 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 12:19:32 in:eth0 out: port:5554 source:80.37.101.199 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 13:34:47 in:eth0 out: port:4899 source:66.161.245.42 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:unknown time:Oct 13 13:35:18 in:eth0 out: port:1433 source:206.111.200.130 dest:166.70.xx.xxx len:48 tos:0x00 protocol:tcp service:ms-sql-s |
|
wheres some info on the IP's doing the scanning
hmm....curious |
|||||
|
its a domain name resolution service...nothin to worry about? maybe? OTOH what is "CHOICE-ONE-COMMUNICATIONS" that could be the AR15.com host? |
|
|
Go here to run a full scan on your security...
|
|
|
|
me too. it says I've achieved perfect stealth status. I'm a black hole baby! |
||
|
That site is a trip. I got "Your system has achieved a perfect "TruStealth" rating" Im on dial-up with no firewall at all. Just a good A/V and ad-aware. Thats funny.
|
|
here is some info
|
||
|
Please Stand By. . .
Attempting connection to your computer. . . Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet! Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet Cool! I'd like to reply, but I don't exist! |
|
I emailed [email protected] and gave them the info yesterday on the scanner.
|
|
You might want to do a bit of reading on port scans before you get to worried about such things. MCI won't even give your email the time of day. The type of scans you are talking about are common and if you were on all day you would see hundreds of hits every day in your logs. It's simply a fact of life. Today alone I got 4231 hits on my firewall. Am I worried? No, that's why I have a firewall. |
|
|
Now THAT is a port scan. You may be doing it rather stealthily but if anything does show up in someone's logs, and it would show up in mine, your ISP would probably take a dim view of your curiosity. Running that exact same scan on one of my comptures from a remote site gave me over 6493 hits that showed on my firewall logs. That's enough to draw the attention of any moderately observant computer literate person. |
|
|
I blocked
69.95.2.77 And I could not see anything from the ar15.com pic gallery I unblock it and I see avatars and pics from the ar15.com gallery why was the ar15.com ip trying to scan my computer ??? Rosebud. |
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.