Port scan attempts

Discussion in 'Computer Security' started by Ravi, Dec 22, 2003.

  1. Ravi

    Ravi Guest

    "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    Port scan detected from address 206.204.10.200.
    Blocked further access for 30 minutes after detecting at
    least 6 ports being probed."

    Is there a way I can report abouse for this?

    It appears that I must report abuse to:


    but that address is invalid - I believe.

    So what can I do?
    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}
     
    Ravi, Dec 22, 2003
    #1
    1. Advertising

  2. Ravi

    Bit Twister Guest

    On Tue, 23 Dec 2003 00:09:02 +0530, Ravi wrote:
    > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > Port scan detected from address 206.204.10.200.
    > Blocked further access for 30 minutes after detecting at
    > least 6 ports being probed."
    >
    > Is there a way I can report abouse for this?
    >
    > It appears that I must report abuse to:
    >
    >
    > but that address is invalid - I believe.
    >
    > So what can I do?


    Let's see,
    host 206.204.10.200
    200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.

    Hmm, belongs to symantec.com

    I bet there may be a Contact Us in their web page http://symantec.com/
     
    Bit Twister, Dec 22, 2003
    #2
    1. Advertising

  3. In article <>,
    says...
    > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > Port scan detected from address 206.204.10.200.
    > Blocked further access for 30 minutes after detecting at
    > least 6 ports being probed."
    >
    > Is there a way I can report abouse for this?
    >
    > It appears that I must report abuse to:
    >
    >
    > but that address is invalid - I believe.
    >
    > So what can I do?
    >



    abuse?

    it's not illegal to port scan. get over it.

    # nslookup 206.204.10.200

    Name: security.symantec.com
    Address: 206.204.10.200



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Dec 22, 2003
    #3
  4. Ravi

    Mimic Guest

    "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    > > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > > Port scan detected from address 206.204.10.200.
    > > Blocked further access for 30 minutes after detecting at
    > > least 6 ports being probed."
    > >
    > > Is there a way I can report abouse for this?
    > >
    > > It appears that I must report abuse to:
    > >
    > >
    > > but that address is invalid - I believe.
    > >
    > > So what can I do?
    > >

    >
    >
    > abuse?
    >
    > it's not illegal to port scan. get over it.
    >
    > # nslookup 206.204.10.200
    >
    > Name: security.symantec.com
    > Address: 206.204.10.200
    >
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >


    heh i got busted once for portscanning :(

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Dec 22, 2003
    #4
  5. "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    > > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > > Port scan detected from address 206.204.10.200.
    > > Blocked further access for 30 minutes after detecting at
    > > least 6 ports being probed."
    > >
    > > Is there a way I can report abouse for this?
    > >
    > > It appears that I must report abuse to:
    > >
    > >
    > > but that address is invalid - I believe.
    > >
    > > So what can I do?

    >
    > abuse?
    >
    > it's not illegal to port scan. get over it.
    >
    > # nslookup 206.204.10.200
    >
    > Name: security.symantec.com
    > Address: 206.204.10.200


    Ahem. Depends on where you're scanning from.

    IIRC, you can get prosecuted for using too-strong encryption in France, or
    for saving POP IP addresses in Germany.. in the UK it *will* get your
    account pulled (assuming that the AUP team have been injected with that
    yellow stuff that they used in /Reanimator/)

    To the OP: read comments, think about said comments, learn.. it's a good
    order to do things ;o)

    H1K
     
    Hairy One Kenobi, Dec 23, 2003
    #5
  6. Ravi

    Bit Twister Guest

    Bit Twister, Dec 23, 2003
    #6
  7. Ravi

    James H. Fox Guest

    Ravi wrote:
    > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > Port scan detected from address 206.204.10.200.
    > Blocked further access for 30 minutes after detecting at
    > least 6 ports being probed."
    >
    > Is there a way I can report abouse for this?
    >

    You can try the myNetWatchman service (http://www.mynetwatchman.com) to
    automatically report scans. They consolidate reports from a number of users
    and screen them so that only the signficant ones are actually reported. I
    use it with logging from a hardware firewall and a cable modem, but it will
    also work with logs from various software firewalls. I don't know if it is
    practical with a dial-up modem.
     
    James H. Fox, Dec 23, 2003
    #7
  8. Colonel Flagg wrote:

    >>Port scan detected from address 206.204.10.200.
    >>Blocked further access for 30 minutes after detecting at
    >>least 6 ports being probed."
    >>
    >>Is there a way I can report abouse for this?


    >>So what can I do?


    > abuse?
    >
    > it's not illegal to port scan. get over it.


    Welcome to the Internet. I get scanned a number of times a day, and scan
    anyone connecting to my machine in a suspicious manner. I've got a
    database of all the scans using NLog, so big I had to install mySQL just
    to keep them straight. No one's ever said a word to me. And besides,
    there's always _passive_ scanning and icmp-based scanning ;)

    Most ISP's, when contacted, do nothing about real break-in attempts, let
    alone a mesley portscan. And then there's legit uses too- IRCd's
    routinely portscan 23, 80, 8080, 3168 looking for open proxies. If
    you're auto-blocking them, and the scan-site has the same IP as the host
    site, you will be blocking your users from using IRC at all (which you
    may or may not want to do). In short, unless it becomes a pattern form
    the same IP# over and over, let it slide .


    --

    =-=-=.:|DISTRIBUTION|PROGRAMMING|RESEARCH|PORTAL|:.-=-=
    [jayjwa] RLF#37 Raq glenaal: Nffnfvangr Ovyy Tngrf
    [Atr2 Labs] Jvaqbjf vf n qvfrnfr
    Finger for proj. "Putting encryption to good use."
    =Linux Tough.Powered By Slackware=-HTTPS|FTP|SILC|SSH-=
     
    @micro$oft.com, Dec 23, 2003
    #8
  9. Ravi

    Rowdy Yates Guest

    I was happily strolling along my merry little way in alt.computer.security,
    when I looked down and saw a little note from Ravi on Mon 22 Dec 2003
    01:51:02p who wrote:

    > "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > Port scan detected from address 206.204.10.200.
    > Blocked further access for 30 minutes after detecting at
    > least 6 ports being probed."
    >
    > Is there a way I can report abouse for this?
    >
    > It appears that I must report abuse to:
    >
    >
    > but that address is invalid - I believe.
    >
    > So what can I do?


    A port scan does not constitue hostile activity. is could be anything. If you
    can prove that there is a pattern to the scan that indicates that they are
    trying to get in, then.....

    most hack attempts are preempted by multiple reconnisance activity that has a
    discernable pattern. a passive host based IDS can log that information for
    you.

    --
    Rowdy Yates
    MCSE, Security+
    (working on a CISSP and lovin' it!)
     
    Rowdy Yates, Dec 23, 2003
    #9
  10. Ravi

    Ravi Guest

    On Mon, 22 Dec 2003 19:00:47 GMT, Bit Twister
    <> wrote:

    >On Tue, 23 Dec 2003 00:09:02 +0530, Ravi wrote:
    >> "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    >> Port scan detected from address 206.204.10.200.
    >> Blocked further access for 30 minutes after detecting at
    >> least 6 ports being probed."
    >>
    >> Is there a way I can report abouse for this?
    >>
    >> It appears that I must report abuse to:
    >>
    >>
    >> but that address is invalid - I believe.
    >>
    >> So what can I do?

    >
    >Let's see,
    >host 206.204.10.200
    >200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.
    >
    >Hmm, belongs to symantec.com
    >
    >I bet there may be a Contact Us in their web page http://symantec.com/


    If that is correct then my mistake!
    I actually asked them to scan my ports using their security
    check site.

    But then is not the abuse address that I wrote correct?

    TIA.

    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}
     
    Ravi, Dec 23, 2003
    #10
  11. In article <>,
    says...
    > On Mon, 22 Dec 2003 19:00:47 GMT, Bit Twister
    > <> wrote:
    >
    > >On Tue, 23 Dec 2003 00:09:02 +0530, Ravi wrote:
    > >> "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    > >> Port scan detected from address 206.204.10.200.
    > >> Blocked further access for 30 minutes after detecting at
    > >> least 6 ports being probed."
    > >>
    > >> Is there a way I can report abouse for this?
    > >>
    > >> It appears that I must report abuse to:
    > >>
    > >>
    > >> but that address is invalid - I believe.
    > >>
    > >> So what can I do?

    > >
    > >Let's see,
    > >host 206.204.10.200
    > >200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.
    > >
    > >Hmm, belongs to symantec.com
    > >
    > >I bet there may be a Contact Us in their web page http://symantec.com/

    >
    > If that is correct then my mistake!
    > I actually asked them to scan my ports using their security
    > check site.
    >
    > But then is not the abuse address that I wrote correct?
    >
    > TIA.
    >
    >



    you're an idiot.

    go ahead folks, find some small way to state this guy isn't an idiot....
    I dare you.... he ASK symantec to scan him, then he REPORTS them for
    abuse....



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Dec 23, 2003
    #11
  12. Ravi

    Ravi Guest

    *** post for FREE via your newsreader at post.newsfeed.com ***

    On Tue, 23 Dec 2003 01:59:07 -0500, Colonel Flagg
    <> wrote:

    >In article <>,
    > says...
    >> On Mon, 22 Dec 2003 19:00:47 GMT, Bit Twister
    >> <> wrote:
    >>
    >> >On Tue, 23 Dec 2003 00:09:02 +0530, Ravi wrote:
    >> >> "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    >> >> Port scan detected from address 206.204.10.200.
    >> >> Blocked further access for 30 minutes after detecting at
    >> >> least 6 ports being probed."
    >> >>
    >> >> Is there a way I can report abouse for this?
    >> >>
    >> >> It appears that I must report abuse to:
    >> >>
    >> >>
    >> >> but that address is invalid - I believe.
    >> >>
    >> >> So what can I do?
    >> >
    >> >Let's see,
    >> >host 206.204.10.200
    >> >200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.
    >> >
    >> >Hmm, belongs to symantec.com
    >> >
    >> >I bet there may be a Contact Us in their web page http://symantec.com/

    >>
    >> If that is correct then my mistake!
    >> I actually asked them to scan my ports using their security
    >> check site.
    >>
    >> But then is not the abuse address that I wrote correct?
    >>
    >> TIA.
    >>
    >>

    >
    >
    >you're an idiot.


    Hey everone makes mistakes!
    I did not know it was symantec's ip!

    >go ahead folks, find some small way to state this guy isn't an idiot....
    >I dare you.... he ASK symantec to scan him, then he REPORTS them for
    >abuse....


    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}


    -----= Posted via Newsfeed.Com, Uncensored Usenet News =-----
    http://www.newsfeed.com - The #1 Newsgroup Service in the World!
    -----== 100,000 Groups! - 19 Servers! - Unlimited Download! =-----
     
    Ravi, Dec 23, 2003
    #12
  13. Ravi

    Ravi Guest

    In article <>, "Colonel Flagg"
    <> wrote:

    > In article <>,
    > says...
    >> On Mon, 22 Dec 2003 19:00:47 GMT, Bit Twister
    >> <> wrote:
    >>
    >> >On Tue, 23 Dec 2003 00:09:02 +0530, Ravi wrote:
    >> >> "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30) Port scan detected from
    >> >> address 206.204.10.200. Blocked further access for 30 minutes after
    >> >> detecting at least 6 ports being probed."
    >> >>
    >> >> Is there a way I can report abouse for this?
    >> >>
    >> >> It appears that I must report abuse to:
    >> >>
    >> >> but that address is invalid - I believe.
    >> >>
    >> >> So what can I do?
    >> >
    >> >Let's see,
    >> >host 206.204.10.200
    >> >200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.
    >> >
    >> >Hmm, belongs to symantec.com
    >> >
    >> >I bet there may be a Contact Us in their web page http://symantec.com/

    >>
    >> If that is correct then my mistake!
    >> I actually asked them to scan my ports using their security check site.
    >>
    >> But then is not the abuse address that I wrote correct?
    >>
    >> TIA.
    >>
    >>
    >>

    >
    > you're an idiot.


    I have already posted a response. I have no idea why it has not appeared.
    Any way all I said was that everyone can make a mistake.

    I did not know the ip belonged to symantec.

    Now I am posting this from linux I just hope this appears!

    >
    > go ahead folks, find some small way to state this guy isn't an idiot....
    > I dare you.... he ASK symantec to scan him, then he REPORTS them for
    > abuse....
    >
    >
    >
     
    Ravi, Dec 23, 2003
    #13
  14. Ravi

    Bit Twister Guest

    On Tue, 23 Dec 2003 11:22:36 +0530, Ravi wrote:

    > It appears that I must report abuse to:
    >
    > But then is not the abuse address that I wrote correct?


    I do not remember the commands to check if the email account is valid.

    You report abuse to the ISP who owns the offending ip address.

    If it comes from a business, I contact them first, if it continues,
    then I contact their ISP.
     
    Bit Twister, Dec 23, 2003
    #14
  15. Ravi

    Ravi Guest

    On Tue, 23 Dec 2003 15:11:55 GMT, Bit Twister
    <> wrote:

    >On Tue, 23 Dec 2003 11:22:36 +0530, Ravi wrote:
    >
    >> It appears that I must report abuse to:
    >>
    >> But then is not the abuse address that I wrote correct?

    >
    >I do not remember the commands to check if the email account is valid.
    >
    >You report abuse to the ISP who owns the offending ip address.
    >
    >If it comes from a business, I contact them first, if it continues,
    >then I contact their ISP.


    I got this information:

    OrgName: ConXioN Corporation
    OrgID: CONX
    Address: 4201 Burton Drive
    City: Santa Clara
    StateProv: CA
    PostalCode: 95054
    Country: US

    NetRange: 206.204.0.0 - 206.204.255.255
    CIDR: 206.204.0.0/16
    NetName: CONXION
    NetHandle: NET-206-204-0-0-1
    Parent: NET-206-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.CONXION.NET
    NameServer: NS2.CONXION.NET
    NameServer: NS3.CONXION.NET
    NameServer: NS4.CONXION.NET
    Comment:
    RegDate: 1995-07-17
    Updated: 2002-12-19

    AbuseHandle: ABUSE150-ARIN
    AbuseName: Abuse
    AbusePhone: +1-408-566-8500
    AbuseEmail:

    TechHandle: CO-ORG-ARIN
    TechName: ConXioN
    TechPhone: +1-408-566-8500
    TechEmail:

    # ARIN WHOIS database, last updated 2003-12-01 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS
    database.

    OrgName: ConXioN Corporation
    OrgID: CONX
    Address: 4201 Burton Drive
    City: Santa Clara
    StateProv: CA
    PostalCode: 95054
    Country: US
    Comment:
    RegDate: 1995-04-19
    Updated: 2001-12-17

    # ARIN WHOIS database, last updated 2003-12-01 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS
    database.

    So I think the abuse address is right? And actually there is
    no mention of symantec.

    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}
     
    Ravi, Dec 23, 2003
    #15
  16. Ravi

    Bit Twister Guest

    On Tue, 23 Dec 2003 22:41:15 +0530, Ravi wrote:
    >>> It appears that I must report abuse to:
    >>>
    >>> But then is not the abuse address that I wrote correct?

    >
    > AbuseHandle: ABUSE150-ARIN
    > AbuseName: Abuse
    > AbusePhone: +1-408-566-8500
    > AbuseEmail:
    >
    > So I think the abuse address is right?


    Well the abuse is a valid ip address alright.

    > And actually there is no mention of symantec.


    You are correct.
    symantec has the ip address.
    You asked who was the ISP provider for symantec's ip address.
     
    Bit Twister, Dec 23, 2003
    #16
  17. Ravi

    Ravi Guest

    On Tue, 23 Dec 2003 17:40:56 GMT, Bit Twister
    <> wrote:

    >On Tue, 23 Dec 2003 22:41:15 +0530, Ravi wrote:
    >>>> It appears that I must report abuse to:
    >>>>
    >>>> But then is not the abuse address that I wrote correct?

    >>
    >> AbuseHandle: ABUSE150-ARIN
    >> AbuseName: Abuse
    >> AbusePhone: +1-408-566-8500
    >> AbuseEmail:
    >>
    >> So I think the abuse address is right?

    >
    >Well the abuse is a valid ip address alright.


    This is an automatically generated Delivery Status
    Notification. Delivery to the following recipients failed
    due to a permanent error.

    <>:
    12.158.34.245 does not like recipient.
    Remote host said: 550 5.1.1 <>... User
    unknown Giving up on 12.158.34.245.


    >> And actually there is no mention of symantec.

    >
    >You are correct.
    >symantec has the ip address.
    >You asked who was the ISP provider for symantec's ip address.


    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}
     
    Ravi, Dec 24, 2003
    #17
  18. Ravi

    Bit Twister Guest

    On Wed, 24 Dec 2003 07:46:25 +0530, Ravi wrote:
    >
    ><>:
    > 12.158.34.245 does not like recipient.
    > Remote host said: 550 5.1.1 <>... User
    > unknown Giving up on 12.158.34.245.


    You are correct, it is broke. Maybe conxion.net outsouced
    it offshore.

    Maybe you could goto http://www.conxion.net and see if there is a
    place to tell them about the email problem. Or thy mailing them a
    letter.
     
    Bit Twister, Dec 24, 2003
    #18
  19. Ravi

    Ravi Guest

    On Wed, 24 Dec 2003 02:26:16 GMT, Bit Twister
    <> wrote:

    >On Wed, 24 Dec 2003 07:46:25 +0530, Ravi wrote:
    >>
    >><>:
    >> 12.158.34.245 does not like recipient.
    >> Remote host said: 550 5.1.1 <>... User
    >> unknown Giving up on 12.158.34.245.

    >
    >You are correct, it is broke. Maybe conxion.net outsouced
    >it offshore.


    Ok. You appear to be posting from:
    United States
    California
    Los Angeles

    Is that correct?

    Why have you not set your tz to
    -08:00
    ?


    >
    >Maybe you could goto http://www.conxion.net and see if there is a
    >place to tell them about the email problem. Or thy mailing them a
    >letter.



    --
    main(){char s[37]="CSbwjAjocpy/mw!PS!sbwjAeftqbnnfe/dpn";
    int i;for(i=0;i<36;putchar(s[i++]-1));return 0;}
     
    Ravi, Dec 24, 2003
    #19
  20. Ravi

    Bit Twister Guest

    On Wed, 24 Dec 2003 10:21:32 +0530, Ravi wrote:
    >
    > Ok. You appear to be posting from:
    > United States
    > California
    > Los Angeles
    >
    > Is that correct?


    Ummm, I posted from 24.1.212.248. Dallas TX.

    > Why have you not set your tz to
    > -08:00


    My clock says
    date
    Tue Dec 23 23:01:09 CST 2003

    of if you like
    date --utc
    Wed Dec 24 05:01:39 UTC 2003

    Do you think the time you see is the time the newsserver has???
     
    Bit Twister, Dec 24, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Roper
    Replies:
    0
    Views:
    648
    James Roper
    Dec 16, 2003
  2. Salvatore Ansani

    Log Login attempts :)

    Salvatore Ansani, Apr 12, 2005, in forum: Cisco
    Replies:
    2
    Views:
    3,304
    Salvatore Ansani
    Apr 13, 2005
  3. William R
    Replies:
    0
    Views:
    3,234
    William R
    Aug 22, 2005
  4. todhunter5
    Replies:
    1
    Views:
    409
    Stephen K. Gielda
    Dec 24, 2003
  5. DaveG

    Attempts on UDP Port 18332

    DaveG, Mar 6, 2005, in forum: NZ Computing
    Replies:
    1
    Views:
    432
    Mark Cranness
    Mar 7, 2005
Loading...

Share This Page