Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Port scanned by these strange IPs...

Reply
Thread Tools

Port scanned by these strange IPs...

 
 
someone
Guest
Posts: n/a
 
      11-22-2005
Hi guys. I've been port scanned by these unusual IPs...any comments? My
experiences with port scans are that they're usually from private IPs
of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).

All of them are UDP scans in the past 6 hours:

18.78.12.98
Unknown

47.229.139.51
Bell-Northern Research

32.151.80.166
Unknown

17.208.21.26
Unknown

92.209.66.146
Internet Assigned Numbers Authority

77.11.7.6
Internet Assigned Numbers Authority

222.38.148.30
CHINA RAILWAY TELECOMMUNICATIONS CENTER

25.138.179.125
DINSA, Ministry of Defence

10.68.120.240
Internet Assigned Numbers Authority

85.196.38.105
GNET - GLOBAL NETWORKS

70.253.234.93
SBC Internet Services SBCIS-SIS80

 
Reply With Quote
 
 
 
 
Donnie
Guest
Posts: n/a
 
      11-22-2005

"someone" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi guys. I've been port scanned by these unusual IPs...any comments? My
> experiences with port scans are that they're usually from private IPs
> of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).

###################################
Chances are, it's the same thing again.
donnie.


 
Reply With Quote
 
 
 
 
someone
Guest
Posts: n/a
 
      11-22-2005
You mean those IPs are spoofed? Or that the zombie computers are in
those organisations?

 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-22-2005
On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
<(E-Mail Removed) .com>, someone wrote:

>Hi guys. I've been port scanned by these unusual IPs...any comments?


Can you say 'Bogus'?

>All of them are UDP scans in the past 6 hours:


What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
something like a single packet from some random IP (especially to ports
1025-1035), it's almost certainly faked addresses.

>18.78.12.98
>Unknown


mit.edu

>32.151.80.166
>Unknown


IBM Global

>17.208.21.26
>Unknown


Apple Computer

>92.209.66.146
>Internet Assigned Numbers Authority


This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.

>77.11.7.6
>Internet Assigned Numbers Authority


Also not issued. See http://www.iana.org/assignments/ipv4-address-space

>10.68.120.240
>Internet Assigned Numbers Authority


See RFC1918. If these are really coming in over your Internet connection,
scream at your ISP about ingress filtering - see RFC2827 and RFC3804.

You may want to look at the port numbers this crap is being sent to. If
the destination ports are 1025 to (say) 1035, and the packet size is 300
to 900 bytes, this is just microsoft messenger spams. Block those ports
inbound (silent discard) and ignore.

Old guy
 
Reply With Quote
 
someone
Guest
Posts: n/a
 
      11-23-2005
Hi, thanks for your helpful insight. I've been port scanned more today,
and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.

What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
which obviously isn't 100% complete!

BTW, why would anyone want to do a UDP port scan if it is
connectionless? Obviously the point of a port scan is to find open &
vulnerable port numbers to establish an illicit connection...

Thanks.

P.S. Useful definition of UDP: (Didn't know before you pointed it out!)
http://www.ingate.com/files/422/fwma...n/xa11944.html
UDP protocol

UDP does not make a connection. It examines data that comes from
outside for accuracy, by checksums. This is like examining a postcard
to ensure that it has not been torn up. UDP does not keep track of
whether or not all data gets through or if it is in the right order;
this is the job of the application. So the data does not have an ACK
confirmation. Peter and Christy, sending postcards, have to keep track
of their own postcards and Peter has to tell Christy the order in which
they should be read. UDP keeps track of the contacts using port
numbers, just like TCP.




Moe Trin wrote:
> On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
> <(E-Mail Removed) .com>, someone wrote:
>
> >Hi guys. I've been port scanned by these unusual IPs...any comments?

>
> Can you say 'Bogus'?
>
> >All of them are UDP scans in the past 6 hours:

>
> What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
> something like a single packet from some random IP (especially to ports
> 1025-1035), it's almost certainly faked addresses.
>
> >18.78.12.98
> >Unknown

>
> mit.edu
>
> >32.151.80.166
> >Unknown

>
> IBM Global
>
> >17.208.21.26
> >Unknown

>
> Apple Computer
>
> >92.209.66.146
> >Internet Assigned Numbers Authority

>
> This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.
>
> >77.11.7.6
> >Internet Assigned Numbers Authority

>
> Also not issued. See http://www.iana.org/assignments/ipv4-address-space
>
> >10.68.120.240
> >Internet Assigned Numbers Authority

>
> See RFC1918. If these are really coming in over your Internet connection,
> scream at your ISP about ingress filtering - see RFC2827 and RFC3804.
>
> You may want to look at the port numbers this crap is being sent to. If
> the destination ports are 1025 to (say) 1035, and the packet size is 300
> to 900 bytes, this is just microsoft messenger spams. Block those ports
> inbound (silent discard) and ignore.
>
> Old guy


 
Reply With Quote
 
Notan
Guest
Posts: n/a
 
      11-23-2005
someone wrote:
>
> Hi, thanks for your helpful insight. I've been port scanned more today,
> and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
>
> What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
> which obviously isn't 100% complete!
>
> <snip>


Have a look at:

http://www.karenware.com/powertools/ptwhois.asp

Notan
 
Reply With Quote
 
Bit Twister
Guest
Posts: n/a
 
      11-23-2005
On 22 Nov 2005 17:07:42 -0800, someone wrote:
> Hi, thanks for your helpful insight. I've been port scanned more today,
> and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
>
> BTW, why would anyone want to do a UDP port scan if it is
> connectionless? Obviously the point of a port scan is to find open &
> vulnerable port numbers to establish an illicit connection...



In no order of importance:
http://www.dshield.org//port_report.php?port=
http://isc.sans.org/port_details.php?port=
http://lists.thedatalist.com/portlist/lookup.php?port=
 
Reply With Quote
 
Donnie
Guest
Posts: n/a
 
      11-23-2005

"someone" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> You mean those IPs are spoofed? Or that the zombie computers are in
> those organisations?
>

#############################
It could be either but the second possibility would be more likely IMO.
donnie.


 
Reply With Quote
 
Donnie
Guest
Posts: n/a
 
      11-23-2005

>
> What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
> which obviously isn't 100% complete!
>

###############################
I use the whois command on my unix box.
whois -h whois.networksolutions.com target.com

networksolutions could be any one of a number of registrars around the
world.
ripe.net europe
apnic asia pacific
arin.net for IPs instead of domain names.
There are others.
donnie.


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-23-2005
On 22 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<(E-Mail Removed) .com>, someone wrote:

>Hi, thanks for your helpful insight. I've been port scanned more today,
>and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.


135 is a different service - they're looking to gain clues. The ports
1025 to 1029 (in your case, though I've seen slightly higher) is just
messenger spam. They aren't attacking you. They are looking for fools who
have windoze messenger service open, so they can deliver advertising.
Block it and ignore.

>What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
>which obviously isn't 100% complete!


[compton ~]$ which whois
/usr/bin/whois
[compton ~]$

That might be a hint that I'm not using windoze. That's actually the
whois3 tool from RIPE. I don't know it they have a version for windoze.

>BTW, why would anyone want to do a UDP port scan if it is
>connectionless? Obviously the point of a port scan is to find open &
>vulnerable port numbers to establish an illicit connection...


It's not a scan. Depending on what else you have running on your system,
and what starts first, messenger is listening on one of those ports. In
normal use, a peer would query your system to find out which port your
system is listening on - but spammers just send the garbage blindly and
hope that one of those ports is open. If it is, the spam is delivered. If
it's not open - it didn't cost the spammer anything, it's no big deal.
It's like the spammers are flying overhead in a big plane, and dumping
millions of sheets of paper - if one lands on you, they have a possible
success (you still have to read it, and buy whatever crap they are
trying to sell). If the paper misses you - no problem, because they don't
have to pay for it and they can get tons more. Look out, here comes
another plane!

When microsoft invented this Interweb thingy for windoze95, they copied
some of the tools we've had for ten or more years earlier. Because they
didn't understand all of the background (and because the users are
untrained), they eliminated the security features that had existed. In
the case of this 'messenger service' they took the old UNIX 'talk' service
and enabled it by default (it's almost never used in UNIX) and changed it
to UDP (with a TCP connection, if the peer does not agree to a connection,
one does not exist - no messenger spam), so that it's easy to use (and
abuse - but that's your problem, not microsoft's).

>UDP keeps track of the contacts using port numbers, just like TCP.


UDP is _usually_ used for 'one-shot' connections. A primary example
is DNS. Your system sends a single packet to a DNS server asking (for
example) "what is the IP Address of www.foo.example.com?". The server
replies with a single packet - and from the network standpoint, there
is no connection, just two one-way packets. Your client (and the server)
know it's question/answer but no one else cares. If your client doesn't
receive an answer in a reasonable time (seconds), it merely sends a new
question. DNS conversations are very simple, and can be abbreviated down
to a few bytes, so it makes no sense to go through all of the work of
setting up a TCP connection which would take a total of seven packets,
when UDP can do it in two.

Old guy
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
multiple scanned jpg files into a single pdf xmlfreefly XML 0 04-27-2006 05:00 PM
Printing PDF Or Scanned Document Via ASP.NET at network Printer Amrendra Nath ASP .Net 1 10-21-2003 04:02 PM
How to change a scanned doc? Twixer Computer Support 2 10-16-2003 07:25 PM
Norton Anti-Virus 2002. How Can i have emails scanned on entry to my inbox Look in my eyes and you'll find me Computer Support 4 08-31-2003 10:58 PM
Saving Scanned Docs MaK Computer Support 3 08-31-2003 11:30 AM



Advertisments