«

I am using Sygate Personal Firewall and for the last 3 days someone has been
scanning my computers UDP ports from the IP address: 61.156.238.238.

I have run a BackTrace and subsequent WhoIs query and the information
returned is shown below: (It is all double dutch to me).

I would like to know what my options are to prevent this individual from
continously scanning my UDP ports (whatever they are). Any help would be
appreciated.

inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered

organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/ipaddress/ip-addresses.htm
remarks: and http://www.iana.org/assignments/as-numbers
e-mail:
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
e-mail:
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

"*****General" <*****> wrote:

|>I am using Sygate Personal Firewall and for the last 3 days someone has been
|>scanning my computers UDP ports from the IP address: 61.156.238.238.
|>
|>I have run a BackTrace and subsequent WhoIs query and the information
|>returned is shown below: (It is all double dutch to me).
|>
|>I would like to know what my options are to prevent this individual from
|>continously scanning my UDP ports (whatever they are). Any help would be
|>appreciated.

Got an ignore setting for that firewall option? set and forget.

Use this site to trace IP numbers http://www.dnsstuff.com/
Shows it's from
Location: China [City: Shandong, Shandong]

--
Take a game break...
http://games.briankass.com/

*****General wrote:
> I am using Sygate Personal Firewall and for the last 3 days someone
> has been scanning my computers UDP ports from the IP address:
> 61.156.238.238.

Then you should defend yourself.

> I would like to know what my options are to prevent this individual
> from continously scanning my UDP ports (whatever they are). Any help
> would be appreciated.

The provider is an unresponsive CNCGROUP Shandong .cn provider listed in
various places like spews & spamhaus for being unresponsive to spam
reports and such

inetnum: 61.156.0.0 - 61.156.255.255
descr: CNCGROUP Shandong province network


There are about 400,000 reports about that IP at DShield which is an
aggregator of log reports.

If you want to do something useful with your logs besides puzzle over
them and learn from them, you can feed them to the system at dshield or
mynetwatchman.


--
Mike Easter

*****General wrote:

> I have run a BackTrace and subsequent WhoIs query and the information
> returned is shown below: (It is all double dutch to me).

tracert and traceroute are very often relatively weak for certain tasks.

The whois needs to be pointed at the particular RIR regional internet
registrar in question. In this case the rir is apnic. Your query was
directed at ripe, which is why you didn't get good information. The
RIRs are arin, ripe, apnic, afrinic, and lacnic, which mostly/generally
correspond to N Amer, Eur, AsiaPacific, Africa, and Latin Amer, resp.

You pasted in the result for this
whois -h whois.ripe.net 61.156.238.238 ...

You should've looked for the result of this
whois -h whois.apnic.net 61.156.238.238 ...

--
Mike Easter

*****General wrote:
>
> I am using Sygate Personal Firewall and for the last 3 days someone has been
> scanning my computers UDP ports from the IP address: 61.156.238.238.

Turn off the alerts and let your firewall do its job.




--
http://www.bootdisk.com/

Hello

I am Fred from Paris in France
I would like to know who is this "61.156.238.238"
Thanks

wrote:

> I am Fred from Paris in France

And you are also GG googlegroup replying to a thread which is about a
week old. Some of the people who actually use newsreaders instead of
web based archives may have already had the reference posts spool off
their provider's newsservers.

> I would like to know who is this "61.156.238.238"

The 'who' in terms of meatspace identity is not available. We only know
about the provider for the IP address and the 'records' of the IP
address's activity amassed by those who report firewall logs to DShield
[and also MyNetWatchman] which aggregates them. DShield has amassed
about 400,000 reports, so there are very very many people who have had
this IP appear in their logs.

This is not the only thread asking questions about it. There is another
thread in an .it ng it.comp.sicurezza.windows also discussing. There
are also about 5000 reports in MNW, so you can get a 'picture' of the
type of activity coming from the IP at its report ID 175981779 or see it
at this link http://www.mynetwatchman.com/LID.asp?IID=175981779 It
shows a 'wealth' of apparent malware agents generating reports.

If you could get your hands on the logs for the provider for the IP then
you could determine the meatspace person or account 'attached' to the IP
address.

The provider for the IP's netblock is
CNCGROUP Shandong province network

The contact person for the netblock is
XIAOFENG ZHANG
Jinan, Shandong P.R China
+86-531-6666666 (doubtful)


The CNC group main address is in Beijing
No.156, Fu-Xing-Men-Nei Street,
Beijing, 100031, P.R.China
+86-10-82993155 (probably true)

The cnc group is extremely unresponsive to problems with spam, viral
propagations or associated portscans.

In comparison, if we wanted to know who was the meatspace persona of
your IP address for the time frame of your posting here, we would
contact the ProXad provider and if we had sufficient justification, the
provider would 'relinquish' the records on your account.

Free SAS / ProXad
8, rue de la Ville L'Eveque
75008 Paris
+33 1 73 50 20 00


--
Mike Easter

ping it and find out
<> wrote in message
news: oups.com...
>
> Hello
>
> I am Fred from Paris in France
> I would like to know who is this "61.156.238.238"
> Thanks
>
>