Port Scan Help

Discussion in 'Computer Support' started by *****General, Nov 28, 2005.

  1. *****General

    *****General Guest

    I am using Sygate Personal Firewall and for the last 3 days someone has been
    scanning my computers UDP ports from the IP address: 61.156.238.238.

    I have run a BackTrace and subsequent WhoIs query and the information
    returned is shown below: (It is all double dutch to me).

    I would like to know what my options are to prevent this individual from
    continously scanning my UDP ports (whatever they are). Any help would be
    appreciated.

    inetnum: 0.0.0.0 - 255.255.255.255
    netname: IANA-BLK
    descr: The whole IPv4 address space
    country: EU # Country is really world wide
    org: ORG-IANA1-RIPE
    admin-c: IANA1-RIPE
    tech-c: IANA1-RIPE
    status: ALLOCATED UNSPECIFIED
    remarks: The country is really worldwide.
    remarks: This address space is assigned at various other places in
    remarks: the world and might therefore not be in the RIPE database.
    mnt-by: RIPE-NCC-HM-MNT
    mnt-lower: RIPE-NCC-HM-MNT
    mnt-routes: RIPE-NCC-RPSL-MNT
    source: RIPE # Filtered

    organisation: ORG-IANA1-RIPE
    org-name: Internet Assigned Numbers Authority
    org-type: IANA
    address: see http://www.iana.org
    remarks: The IANA allocates IP addresses and AS number blocks to RIRs
    remarks: see http://www.iana.org/ipaddress/ip-addresses.htm
    remarks: and http://www.iana.org/assignments/as-numbers
    e-mail:
    admin-c: IANA1-RIPE
    tech-c: IANA1-RIPE
    mnt-ref: RIPE-NCC-HM-MNT
    mnt-by: RIPE-NCC-HM-MNT
    source: RIPE # Filtered

    role: Internet Assigned Numbers Authority
    address: see http://www.iana.org.
    e-mail:
    admin-c: IANA1-RIPE
    tech-c: IANA1-RIPE
    nic-hdl: IANA1-RIPE
    remarks: For more information on IANA services
    remarks: go to IANA web site at http://www.iana.org.
    mnt-by: RIPE-NCC-MNT
    source: RIPE # Filtered
     
    *****General, Nov 28, 2005
    #1
    1. Advertising

  2. *****General

    Trax Guest

    "*****General" <*****> wrote:

    |>I am using Sygate Personal Firewall and for the last 3 days someone has been
    |>scanning my computers UDP ports from the IP address: 61.156.238.238.
    |>
    |>I have run a BackTrace and subsequent WhoIs query and the information
    |>returned is shown below: (It is all double dutch to me).
    |>
    |>I would like to know what my options are to prevent this individual from
    |>continously scanning my UDP ports (whatever they are). Any help would be
    |>appreciated.

    Got an ignore setting for that firewall option? set and forget.

    Use this site to trace IP numbers http://www.dnsstuff.com/
    Shows it's from
    Location: China [City: Shandong, Shandong]

    --
    Take a game break...
    http://games.briankass.com/
     
    Trax, Nov 28, 2005
    #2
    1. Advertising

  3. *****General

    Mike Easter Guest

    *****General wrote:
    > I am using Sygate Personal Firewall and for the last 3 days someone
    > has been scanning my computers UDP ports from the IP address:
    > 61.156.238.238.


    Then you should defend yourself.

    > I would like to know what my options are to prevent this individual
    > from continously scanning my UDP ports (whatever they are). Any help
    > would be appreciated.


    The provider is an unresponsive CNCGROUP Shandong .cn provider listed in
    various places like spews & spamhaus for being unresponsive to spam
    reports and such

    inetnum: 61.156.0.0 - 61.156.255.255
    descr: CNCGROUP Shandong province network


    There are about 400,000 reports about that IP at DShield which is an
    aggregator of log reports.

    If you want to do something useful with your logs besides puzzle over
    them and learn from them, you can feed them to the system at dshield or
    mynetwatchman.


    --
    Mike Easter
     
    Mike Easter, Nov 28, 2005
    #3
  4. *****General

    Mike Easter Guest

    *****General wrote:

    > I have run a BackTrace and subsequent WhoIs query and the information
    > returned is shown below: (It is all double dutch to me).


    tracert and traceroute are very often relatively weak for certain tasks.

    The whois needs to be pointed at the particular RIR regional internet
    registrar in question. In this case the rir is apnic. Your query was
    directed at ripe, which is why you didn't get good information. The
    RIRs are arin, ripe, apnic, afrinic, and lacnic, which mostly/generally
    correspond to N Amer, Eur, AsiaPacific, Africa, and Latin Amer, resp.

    You pasted in the result for this
    whois -h whois.ripe.net 61.156.238.238 ...

    You should've looked for the result of this
    whois -h whois.apnic.net 61.156.238.238 ...

    --
    Mike Easter
     
    Mike Easter, Nov 28, 2005
    #4
  5. *****General

    Plato Guest

    *****General wrote:
    >
    > I am using Sygate Personal Firewall and for the last 3 days someone has been
    > scanning my computers UDP ports from the IP address: 61.156.238.238.


    Turn off the alerts and let your firewall do its job.




    --
    http://www.bootdisk.com/
     
    Plato, Nov 28, 2005
    #5
  6. *****General

    Guest

    Hello

    I am Fred from Paris in France
    I would like to know who is this "61.156.238.238"
    Thanks
     
    , Dec 4, 2005
    #6
  7. *****General

    Mike Easter Guest

    wrote:

    > I am Fred from Paris in France


    And you are also GG googlegroup replying to a thread which is about a
    week old. Some of the people who actually use newsreaders instead of
    web based archives may have already had the reference posts spool off
    their provider's newsservers.

    > I would like to know who is this "61.156.238.238"


    The 'who' in terms of meatspace identity is not available. We only know
    about the provider for the IP address and the 'records' of the IP
    address's activity amassed by those who report firewall logs to DShield
    [and also MyNetWatchman] which aggregates them. DShield has amassed
    about 400,000 reports, so there are very very many people who have had
    this IP appear in their logs.

    This is not the only thread asking questions about it. There is another
    thread in an .it ng it.comp.sicurezza.windows also discussing. There
    are also about 5000 reports in MNW, so you can get a 'picture' of the
    type of activity coming from the IP at its report ID 175981779 or see it
    at this link http://www.mynetwatchman.com/LID.asp?IID=175981779 It
    shows a 'wealth' of apparent malware agents generating reports.

    If you could get your hands on the logs for the provider for the IP then
    you could determine the meatspace person or account 'attached' to the IP
    address.

    The provider for the IP's netblock is
    CNCGROUP Shandong province network

    The contact person for the netblock is
    XIAOFENG ZHANG
    Jinan, Shandong P.R China
    +86-531-6666666 (doubtful)


    The CNC group main address is in Beijing
    No.156, Fu-Xing-Men-Nei Street,
    Beijing, 100031, P.R.China
    +86-10-82993155 (probably true)

    The cnc group is extremely unresponsive to problems with spam, viral
    propagations or associated portscans.

    In comparison, if we wanted to know who was the meatspace persona of
    your IP address for the time frame of your posting here, we would
    contact the ProXad provider and if we had sufficient justification, the
    provider would 'relinquish' the records on your account.

    Free SAS / ProXad
    8, rue de la Ville L'Eveque
    75008 Paris
    +33 1 73 50 20 00


    --
    Mike Easter
     
    Mike Easter, Dec 4, 2005
    #7
  8. *****General

    detap Guest

    ping it and find out
    <> wrote in message
    news:...
    >
    > Hello
    >
    > I am Fred from Paris in France
    > I would like to know who is this "61.156.238.238"
    > Thanks
    >
    >
     
    detap, Dec 4, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    Port Scan Attack? What Action to Take?

    Guest, May 28, 2005, in forum: Computer Support
    Replies:
    10
    Views:
    15,725
    handygrandad
    Oct 10, 2008
  2. jack lift
    Replies:
    7
    Views:
    1,983
    Waterperson77
    Dec 9, 2003
  3. NewScanner
    Replies:
    9
    Views:
    1,025
    NewScanner
    Jan 16, 2007
  4. Replies:
    3
    Views:
    905
    Richard Karash
    Aug 9, 2008
  5. Dipankar

    Port scan attacks! Please help!

    Dipankar, Dec 26, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,377
    Dipankar
    Dec 26, 2009
Loading...

Share This Page