Port scanned by these strange IPs...

Hi guys. I've been port scanned by these unusual IPs...any comments? My
experiences with port scans are that they're usually from private IPs
of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).

All of them are UDP scans in the past 6 hours:

18.78.12.98
Unknown

47.229.139.51
Bell-Northern Research

32.151.80.166
Unknown

17.208.21.26
Unknown

92.209.66.146
Internet Assigned Numbers Authority

77.11.7.6
Internet Assigned Numbers Authority

222.38.148.30
CHINA RAILWAY TELECOMMUNICATIONS CENTER

25.138.179.125
DINSA, Ministry of Defence

10.68.120.240
Internet Assigned Numbers Authority

85.196.38.105
GNET - GLOBAL NETWORKS

70.253.234.93
SBC Internet Services SBCIS-SIS80

someone

"someone" <> wrote in message
news: oups.com...
> Hi guys. I've been port scanned by these unusual IPs...any comments? My
> experiences with port scans are that they're usually from private IPs
> of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).
###################################
Chances are, it's the same thing again.
donnie.

Donnie

You mean those IPs are spoofed? Or that the zombie computers are in
those organisations?

someone

On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
< .com>, someone wrote:

>Hi guys. I've been port scanned by these unusual IPs...any comments?

Can you say 'Bogus'?

>All of them are UDP scans in the past 6 hours:

What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
something like a single packet from some random IP (especially to ports
1025-1035), it's almost certainly faked addresses.

>18.78.12.98
>Unknown

mit.edu

>32.151.80.166
>Unknown

IBM Global

>17.208.21.26
>Unknown

Apple Computer

>92.209.66.146
>Internet Assigned Numbers Authority

This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.

>77.11.7.6
>Internet Assigned Numbers Authority

Also not issued. See http://www.iana.org/assignments/ipv4-address-space

>10.68.120.240
>Internet Assigned Numbers Authority

See RFC1918. If these are really coming in over your Internet connection,
scream at your ISP about ingress filtering - see RFC2827 and RFC3804.

You may want to look at the port numbers this crap is being sent to. If
the destination ports are 1025 to (say) 1035, and the packet size is 300
to 900 bytes, this is just microsoft messenger spams. Block those ports
inbound (silent discard) and ignore.

Old guy

Moe Trin

Hi, thanks for your helpful insight. I've been port scanned more today,
and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.

What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
which obviously isn't 100% complete!

BTW, why would anyone want to do a UDP port scan if it is
connectionless? Obviously the point of a port scan is to find open &
vulnerable port numbers to establish an illicit connection...

Thanks.

P.S. Useful definition of UDP: (Didn't know before you pointed it out!)
http://www.ingate.com/files/422/fwma...n/xa11944.html
UDP protocol

UDP does not make a connection. It examines data that comes from
outside for accuracy, by checksums. This is like examining a postcard
to ensure that it has not been torn up. UDP does not keep track of
whether or not all data gets through or if it is in the right order;
this is the job of the application. So the data does not have an ACK
confirmation. Peter and Christy, sending postcards, have to keep track
of their own postcards and Peter has to tell Christy the order in which
they should be read. UDP keeps track of the contacts using port
numbers, just like TCP.




Moe Trin wrote:
> On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
> < .com>, someone wrote:
>
> >Hi guys. I've been port scanned by these unusual IPs...any comments?
>
> Can you say 'Bogus'?
>
> >All of them are UDP scans in the past 6 hours:
>
> What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
> something like a single packet from some random IP (especially to ports
> 1025-1035), it's almost certainly faked addresses.
>
> >18.78.12.98
> >Unknown
>
> mit.edu
>
> >32.151.80.166
> >Unknown
>
> IBM Global
>
> >17.208.21.26
> >Unknown
>
> Apple Computer
>
> >92.209.66.146
> >Internet Assigned Numbers Authority
>
> This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.
>
> >77.11.7.6
> >Internet Assigned Numbers Authority
>
> Also not issued. See http://www.iana.org/assignments/ipv4-address-space
>
> >10.68.120.240
> >Internet Assigned Numbers Authority
>
> See RFC1918. If these are really coming in over your Internet connection,
> scream at your ISP about ingress filtering - see RFC2827 and RFC3804.
>
> You may want to look at the port numbers this crap is being sent to. If
> the destination ports are 1025 to (say) 1035, and the packet size is 300
> to 900 bytes, this is just microsoft messenger spams. Block those ports
> inbound (silent discard) and ignore.
>
> Old guy

someone

someone wrote:
>
> Hi, thanks for your helpful insight. I've been port scanned more today,
> and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
>
> What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
> which obviously isn't 100% complete!
>
> <snip>

Have a look at:

http://www.karenware.com/powertools/ptwhois.asp

Notan

Notan

On 22 Nov 2005 17:07:42 -0800, someone wrote:
> Hi, thanks for your helpful insight. I've been port scanned more today,
> and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
>
> BTW, why would anyone want to do a UDP port scan if it is
> connectionless? Obviously the point of a port scan is to find open &
> vulnerable port numbers to establish an illicit connection...


In no order of importance:
http://www.dshield.org//port_report.php?port=
http://isc.sans.org/port_details.php?port=
http://lists.thedatalist.com/portlist/lookup.php?port=

Bit Twister

"someone" <> wrote in message
news: oups.com...
> You mean those IPs are spoofed? Or that the zombie computers are in
> those organisations?
>
#############################
It could be either but the second possibility would be more likely IMO.
donnie.

Donnie

>
> What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
> which obviously isn't 100% complete!
>
###############################
I use the whois command on my unix box.
whois -h whois.networksolutions.com target.com

networksolutions could be any one of a number of registrars around the
world.
ripe.net europe
apnic asia pacific
arin.net for IPs instead of domain names.
There are others.
donnie.

Donnie

On 22 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
< .com>, someone wrote:

>Hi, thanks for your helpful insight. I've been port scanned more today,
>and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.

135 is a different service - they're looking to gain clues. The ports
1025 to 1029 (in your case, though I've seen slightly higher) is just
messenger spam. They aren't attacking you. They are looking for fools who
have windoze messenger service open, so they can deliver advertising.
Block it and ignore.

>What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
>which obviously isn't 100% complete!

[compton ~]$ which whois
/usr/bin/whois
[compton ~]$

That might be a hint that I'm not using windoze. That's actually the
whois3 tool from RIPE. I don't know it they have a version for windoze.

>BTW, why would anyone want to do a UDP port scan if it is
>connectionless? Obviously the point of a port scan is to find open &
>vulnerable port numbers to establish an illicit connection...

It's not a scan. Depending on what else you have running on your system,
and what starts first, messenger is listening on one of those ports. In
normal use, a peer would query your system to find out which port your
system is listening on - but spammers just send the garbage blindly and
hope that one of those ports is open. If it is, the spam is delivered. If
it's not open - it didn't cost the spammer anything, it's no big deal.
It's like the spammers are flying overhead in a big plane, and dumping
millions of sheets of paper - if one lands on you, they have a possible
success (you still have to read it, and buy whatever crap they are
trying to sell). If the paper misses you - no problem, because they don't
have to pay for it and they can get tons more. Look out, here comes
another plane!

When microsoft invented this Interweb thingy for windoze95, they copied
some of the tools we've had for ten or more years earlier. Because they
didn't understand all of the background (and because the users are
untrained), they eliminated the security features that had existed. In
the case of this 'messenger service' they took the old UNIX 'talk' service
and enabled it by default (it's almost never used in UNIX) and changed it
to UDP (with a TCP connection, if the peer does not agree to a connection,
one does not exist - no messenger spam), so that it's easy to use (and
abuse - but that's your problem, not microsoft's).

>UDP keeps track of the contacts using port numbers, just like TCP.

UDP is _usually_ used for 'one-shot' connections. A primary example
is DNS. Your system sends a single packet to a DNS server asking (for
example) "what is the IP Address of www.foo.example.com?". The server
replies with a single packet - and from the network standpoint, there
is no connection, just two one-way packets. Your client (and the server)
know it's question/answer but no one else cares. If your client doesn't
receive an answer in a reasonable time (seconds), it merely sends a new
question. DNS conversations are very simple, and can be abbreviated down
to a few bytes, so it makes no sense to go through all of the work of
setting up a TCP connection which would take a total of seven packets,
when UDP can do it in two.

Old guy

Moe Trin