Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Port scans. What are these?

Reply
Thread Tools

Port scans. What are these?

 
 
kmtanner@cyberspace.org
Guest
Posts: n/a
 
      10-18-2005
Hi people. I get constant & regular port scans from these IP
addresses:

61.137.117.208
61.233.40.205
61.237.29.102
61.237.3.70
61.235.144.86

Severity: Minor
Direction: Incoming
Protocol: UDP

ARIN and RIPE whois servers don't give any information about any
of these addresses. It kinda bugs me because they're constant
scans. Probably caused by some application I've installed (like
automatic update check or...)

Could anyone enlighten me? Thanks in advance.

 
Reply With Quote
 
 
 
 
Anders
Guest
Posts: n/a
 
      10-18-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi people. I get constant & regular port scans from these IP
> addresses:
>
> 61.137.117.208
> 61.233.40.205
> 61.237.29.102
> 61.237.3.70
> 61.235.144.86
>
> Severity: Minor
> Direction: Incoming
> Protocol: UDP
>
> ARIN and RIPE whois servers don't give any information about any
> of these addresses. It kinda bugs me because they're constant
> scans. Probably caused by some application I've installed (like
> automatic update check or...)
>
> Could anyone enlighten me? Thanks in advance.
>


It looks like it is China messenger spam to me, are they using udp on
port 1026,1027 it probable is.

61.137.117.208
61.137.0.0 - 61.137.127.255
netname: CHINANET-HN
country: CN
descr: CHINANET Hunan province network
descr: China Telecom

61.233.40.205
61.233.40.0 - 61.233.40.255
netname: CRHbYqS
country: CN
descr: China Railcom Hebei Yangquan Subbranch
descr: Telecommunication

61.237.29.102
61.232.0.0 - 61.237.255.255
netname: CRTC
country: CN
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c: LQ112-AP
tech-c: LM273-AP
status: ALLOCATED PORTABLE

61.237.3.70
61.232.0.0 - 61.237.255.255
netname: CRTC
country: CN
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c: LQ112-AP
tech-c: LM273-AP
status: ALLOCATED PORTABLE

61.235.144.86
61.232.0.0 - 61.237.255.255
netname: CRTC
country: CN
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c: LQ112-AP
tech-c: LM273-AP
status: ALLOCATED PORTABLE
 
Reply With Quote
 
 
 
 
kmtanner@cyberspace.org
Guest
Posts: n/a
 
      10-18-2005
Anders wrote:
> (E-Mail Removed) wrote:

[...]
> It looks like it is China messenger spam to me, are they using udp on
> port 1026,1027 it probable is.


This is the information I got:

=============insert
Somebody is scanning your computer.
Your computer's UDP ports:
1028, 1029, 1030, and 4081 have been scanned from 61.137.117.208..
=============outsert

Thanks a lot for your help.

 
Reply With Quote
 
kmtanner@cyberspace.org
Guest
Posts: n/a
 
      10-18-2005
Oh btw Anders: What service did you use to get the information? RIPE
doesn't
work well for me...

 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      10-18-2005
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Oh btw Anders: What service did you use to get the information? RIPE
> doesn't
> work well for me...


There are more than two rings in the Olympic symbol (hint!)

Google for APNIC, then either follow that up with a more general registrar
search, or download the appropriate software.

I cook my own, but many are available. codecutters.org. YMMV, I don't
exactly stay up nights doing wonderful and interesting things with
interfaces (Erm.. /software/ interfaces, that is. Cough! )

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
Anders
Guest
Posts: n/a
 
      10-19-2005
(E-Mail Removed) wrote:
> Oh btw Anders: What service did you use to get the information? RIPE
> doesn't
> work well for me...
>


"Network Tools" a nice little tool in Linux useing whois.net

Anders
 
Reply With Quote
 
Interested
Guest
Posts: n/a
 
      10-23-2005
On 18 Oct 2005, (E-Mail Removed) wrote:
>Hi people. I get constant & regular port scans from these IP
>addresses:
>
>61.137.117.208
>61.233.40.205
>61.237.29.102
>61.237.3.70
>61.235.144.86
>
>Severity: Minor
>Direction: Incoming
>Protocol: UDP
>
>ARIN and RIPE whois servers don't give any information about any
>of these addresses. It kinda bugs me because they're constant
>scans. Probably caused by some application I've installed (like
>automatic update check or...)
>
>Could anyone enlighten me? Thanks in advance.


Go to: http://www.dnsstuff.com/

For example this is what WHOIS Lookup shows for 61.137.117.208
There is no PTR for it so it is likely a dynamic IP. Could very well be a
hack attempt. Certainly not a lgitamate site or there would be a PTR record
for it.

WHOIS results for 61.137.117.208
Generated by www.DNSstuff.com
Location: China [City: China, Beijing]

ARIN says that this IP belongs to APNIC; I'm looking it up there.


Using 2 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.137.0.0 - 61.137.127.255
netname: CHINANET-HN
country: CN
descr: CHINANET Hunan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
admin-c: CH93-AP
tech-c: YX69-AP
status: ALLOCATED NON-PORTABLE
changed: *****@chinatelecom.com.cn 20050825
mnt-by: MAINT-CHINANET
source: APNIC

person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: **********@ns.chinanet.cn.net
e-mail: *********@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: **********@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam
complaint to *********@ns.chinanet.cn.net
source: APNIC

person: Yali Xiao
address: Hunan Data Communication Bureau No.9 middle wuyi road
ChangSha city,Hunan ,P.R.China 410011
country: CN
phone: +86-731-2260079
fax-no: +86-731-2265549
e-mail: ****@hnpta.net.cn
nic-hdl: YX69-AP
mnt-by: MAINT-CHINANET-HUNAN
changed: ****@hndcb.hnpta.net.cn 20010523
source: APNIC


The Reverse DNS shows no PTR record meaning it is not legitamate.

Reverse DNS for 61.137.117.208
Generated by www.DNSstuff.com
Location: China [City: China, Beijing]

Preparation:
The reverse DNS entry for an IP is found by reversing the IP, adding it to
"in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 61.137.117.208 is found by looking up the PTR
record for
208.117.137.61.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know
what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking a.root-servers.net for 208.117.137.61.in-addr.arpa PTR record:
a.root-servers.net says to go to tinnie.arin.net. (zone:
61.in-addr.arpa.)
Asking tinnie.arin.net. for 208.117.137.61.in-addr.arpa PTR record:
Reports that no PTR records exist [from 69.25.34.195].

Answer:
No PTR records exist for 61.137.117.208. [Neg TTL=172800 seconds]

Details:
tinnie.arin.net. (an authoritative nameserver for 61.in-addr.arpa., which
is in charge of the reverse DNS for 61.137.117.20
says that there are no PTR records for 61.137.117.208.

To get reverse DNS set up for 61.137.117.208, you need to speak to your
Internet provider. You could also
check with (E-Mail Removed)., who is in
charge of the 61.in-addr.arpa. zone.

Note that all Internet accessible hosts are expected to have a reverse DNS
entry (per RFC1912 2.1),
and many mailservers (such as AOL) will likely block E-mail from
mailservers with no reverse DNS entry.
To see the reverse DNS traversal, to make sure that all DNS servers are
reporting the correct results, you can Click Here.




 
Reply With Quote
 
ROBERT S AMP BA Drake
Guest
Posts: n/a
 
      10-23-2005
This one works very well to find out the origin of the IP:

http://www.samspade.org/

"Anders" <(E-Mail Removed)> wrote in message
news:qPl5f.148613$(E-Mail Removed)...
> (E-Mail Removed) wrote:
>> Oh btw Anders: What service did you use to get the information? RIPE
>> doesn't
>> work well for me...
>>

>
> "Network Tools" a nice little tool in Linux useing whois.net
>
> Anders



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Overhead of 4-port over 2-port SRAM John T. Goodman VHDL 0 01-25-2005 04:27 PM
4 port ethernet, 1 port broadband Link Cisco 1 05-09-2004 10:41 PM
Port-security on 16-port FastEthernet module (NM-ESW-16) Dmitry Cisco 0 04-01-2004 06:38 PM
Port security on a Catalyst 4000 - fails to shut down port Jon Whitear Cisco 2 11-04-2003 11:01 PM
about "match ip rtp starting-port-number port-range" Weiguang Shi Cisco 1 10-25-2003 07:14 AM



Advertisments