Port scanned by these strange IPs...

Discussion in 'Computer Security' started by someone, Nov 22, 2005.

  1. someone

    someone Guest

    Hi guys. I've been port scanned by these unusual IPs...any comments? My
    experiences with port scans are that they're usually from private IPs
    of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).

    All of them are UDP scans in the past 6 hours:

    18.78.12.98
    Unknown

    47.229.139.51
    Bell-Northern Research

    32.151.80.166
    Unknown

    17.208.21.26
    Unknown

    92.209.66.146
    Internet Assigned Numbers Authority

    77.11.7.6
    Internet Assigned Numbers Authority

    222.38.148.30
    CHINA RAILWAY TELECOMMUNICATIONS CENTER

    25.138.179.125
    DINSA, Ministry of Defence

    10.68.120.240
    Internet Assigned Numbers Authority

    85.196.38.105
    GNET - GLOBAL NETWORKS

    70.253.234.93
    SBC Internet Services SBCIS-SIS80
     
    someone, Nov 22, 2005
    #1
    1. Advertising

  2. someone

    Donnie Guest

    "someone" <> wrote in message
    news:...
    > Hi guys. I've been port scanned by these unusual IPs...any comments? My
    > experiences with port scans are that they're usually from private IPs
    > of commercial ISPs (i.e. someone's zombie-fied/tronjan-ed computer).

    ###################################
    Chances are, it's the same thing again.
    donnie.
     
    Donnie, Nov 22, 2005
    #2
    1. Advertising

  3. someone

    someone Guest

    You mean those IPs are spoofed? Or that the zombie computers are in
    those organisations?
     
    someone, Nov 22, 2005
    #3
  4. someone

    Moe Trin Guest

    On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
    <>, someone wrote:

    >Hi guys. I've been port scanned by these unusual IPs...any comments?


    Can you say 'Bogus'?

    >All of them are UDP scans in the past 6 hours:


    What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
    something like a single packet from some random IP (especially to ports
    1025-1035), it's almost certainly faked addresses.

    >18.78.12.98
    >Unknown


    mit.edu

    >32.151.80.166
    >Unknown


    IBM Global

    >17.208.21.26
    >Unknown


    Apple Computer

    >92.209.66.146
    >Internet Assigned Numbers Authority


    This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.

    >77.11.7.6
    >Internet Assigned Numbers Authority


    Also not issued. See http://www.iana.org/assignments/ipv4-address-space

    >10.68.120.240
    >Internet Assigned Numbers Authority


    See RFC1918. If these are really coming in over your Internet connection,
    scream at your ISP about ingress filtering - see RFC2827 and RFC3804.

    You may want to look at the port numbers this crap is being sent to. If
    the destination ports are 1025 to (say) 1035, and the packet size is 300
    to 900 bytes, this is just microsoft messenger spams. Block those ports
    inbound (silent discard) and ignore.

    Old guy
     
    Moe Trin, Nov 22, 2005
    #4
  5. someone

    someone Guest

    Hi, thanks for your helpful insight. I've been port scanned more today,
    and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.

    What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
    which obviously isn't 100% complete!

    BTW, why would anyone want to do a UDP port scan if it is
    connectionless? Obviously the point of a port scan is to find open &
    vulnerable port numbers to establish an illicit connection...

    Thanks.

    P.S. Useful definition of UDP: (Didn't know before you pointed it out!)
    http://www.ingate.com/files/422/fwmanual-en/xa11944.html
    UDP protocol

    UDP does not make a connection. It examines data that comes from
    outside for accuracy, by checksums. This is like examining a postcard
    to ensure that it has not been torn up. UDP does not keep track of
    whether or not all data gets through or if it is in the right order;
    this is the job of the application. So the data does not have an ACK
    confirmation. Peter and Christy, sending postcards, have to keep track
    of their own postcards and Peter has to tell Christy the order in which
    they should be read. UDP keeps track of the contacts using port
    numbers, just like TCP.




    Moe Trin wrote:
    > On 21 Nov 2005 16:09:06Usenet newsgroup alt.computer.security, in article
    > <>, someone wrote:
    >
    > >Hi guys. I've been port scanned by these unusual IPs...any comments?

    >
    > Can you say 'Bogus'?
    >
    > >All of them are UDP scans in the past 6 hours:

    >
    > What exactly is a UDP scan? UDP is a connectionless protocol, and if it's
    > something like a single packet from some random IP (especially to ports
    > 1025-1035), it's almost certainly faked addresses.
    >
    > >18.78.12.98
    > >Unknown

    >
    > mit.edu
    >
    > >32.151.80.166
    > >Unknown

    >
    > IBM Global
    >
    > >17.208.21.26
    > >Unknown

    >
    > Apple Computer
    >
    > >92.209.66.146
    > >Internet Assigned Numbers Authority

    >
    > This one proves the fake. 92.0.0.0 to 123.255.255.255 have not been issued.
    >
    > >77.11.7.6
    > >Internet Assigned Numbers Authority

    >
    > Also not issued. See http://www.iana.org/assignments/ipv4-address-space
    >
    > >10.68.120.240
    > >Internet Assigned Numbers Authority

    >
    > See RFC1918. If these are really coming in over your Internet connection,
    > scream at your ISP about ingress filtering - see RFC2827 and RFC3804.
    >
    > You may want to look at the port numbers this crap is being sent to. If
    > the destination ports are 1025 to (say) 1035, and the packet size is 300
    > to 900 bytes, this is just microsoft messenger spams. Block those ports
    > inbound (silent discard) and ignore.
    >
    > Old guy
     
    someone, Nov 23, 2005
    #5
  6. someone

    Notan Guest

    someone wrote:
    >
    > Hi, thanks for your helpful insight. I've been port scanned more today,
    > and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
    >
    > What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
    > which obviously isn't 100% complete!
    >
    > <snip>


    Have a look at:

    http://www.karenware.com/powertools/ptwhois.asp

    Notan
     
    Notan, Nov 23, 2005
    #6
  7. someone

    Bit Twister Guest

    On 22 Nov 2005 17:07:42 -0800, someone wrote:
    > Hi, thanks for your helpful insight. I've been port scanned more today,
    > and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.
    >
    > BTW, why would anyone want to do a UDP port scan if it is
    > connectionless? Obviously the point of a port scan is to find open &
    > vulnerable port numbers to establish an illicit connection...



    In no order of importance:
    http://www.dshield.org//port_report.php?port=
    http://isc.sans.org/port_details.php?port=
    http://lists.thedatalist.com/portlist/lookup.php?port=
     
    Bit Twister, Nov 23, 2005
    #7
  8. someone

    Donnie Guest

    "someone" <> wrote in message
    news:...
    > You mean those IPs are spoofed? Or that the zombie computers are in
    > those organisations?
    >

    #############################
    It could be either but the second possibility would be more likely IMO.
    donnie.
     
    Donnie, Nov 23, 2005
    #8
  9. someone

    Donnie Guest


    >
    > What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
    > which obviously isn't 100% complete!
    >

    ###############################
    I use the whois command on my unix box.
    whois -h whois.networksolutions.com target.com

    networksolutions could be any one of a number of registrars around the
    world.
    ripe.net europe
    apnic asia pacific
    arin.net for IPs instead of domain names.
    There are others.
    donnie.
     
    Donnie, Nov 23, 2005
    #9
  10. someone

    Moe Trin Guest

    On 22 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <>, someone wrote:

    >Hi, thanks for your helpful insight. I've been port scanned more today,
    >and they seem to be going for ports 1025, 1027, 1028, 1029 and 135.


    135 is a different service - they're looking to gain clues. The ports
    1025 to 1029 (in your case, though I've seen slightly higher) is just
    messenger spam. They aren't attacking you. They are looking for fools who
    have windoze messenger service open, so they can deliver advertising.
    Block it and ignore.

    >What tool do you use for your WHOIS lookups? I use www.dnsstuff.com,
    >which obviously isn't 100% complete!


    [compton ~]$ which whois
    /usr/bin/whois
    [compton ~]$

    That might be a hint that I'm not using windoze. That's actually the
    whois3 tool from RIPE. I don't know it they have a version for windoze.

    >BTW, why would anyone want to do a UDP port scan if it is
    >connectionless? Obviously the point of a port scan is to find open &
    >vulnerable port numbers to establish an illicit connection...


    It's not a scan. Depending on what else you have running on your system,
    and what starts first, messenger is listening on one of those ports. In
    normal use, a peer would query your system to find out which port your
    system is listening on - but spammers just send the garbage blindly and
    hope that one of those ports is open. If it is, the spam is delivered. If
    it's not open - it didn't cost the spammer anything, it's no big deal.
    It's like the spammers are flying overhead in a big plane, and dumping
    millions of sheets of paper - if one lands on you, they have a possible
    success (you still have to read it, and buy whatever crap they are
    trying to sell). If the paper misses you - no problem, because they don't
    have to pay for it and they can get tons more. Look out, here comes
    another plane!

    When microsoft invented this Interweb thingy for windoze95, they copied
    some of the tools we've had for ten or more years earlier. Because they
    didn't understand all of the background (and because the users are
    untrained), they eliminated the security features that had existed. In
    the case of this 'messenger service' they took the old UNIX 'talk' service
    and enabled it by default (it's almost never used in UNIX) and changed it
    to UDP (with a TCP connection, if the peer does not agree to a connection,
    one does not exist - no messenger spam), so that it's easy to use (and
    abuse - but that's your problem, not microsoft's).

    >UDP keeps track of the contacts using port numbers, just like TCP.


    UDP is _usually_ used for 'one-shot' connections. A primary example
    is DNS. Your system sends a single packet to a DNS server asking (for
    example) "what is the IP Address of www.foo.example.com?". The server
    replies with a single packet - and from the network standpoint, there
    is no connection, just two one-way packets. Your client (and the server)
    know it's question/answer but no one else cares. If your client doesn't
    receive an answer in a reasonable time (seconds), it merely sends a new
    question. DNS conversations are very simple, and can be abbreviated down
    to a few bytes, so it makes no sense to go through all of the work of
    setting up a TCP connection which would take a total of seven packets,
    when UDP can do it in two.

    Old guy
     
    Moe Trin, Nov 23, 2005
    #10
  11. someone

    someone Guest

    Wow Moe Trin. I understood that! Thanks for such an informative post.
    Most other advanced comp/security users I've come across usually type
    in gobbledegook. Definitely saving your post locally for archiving :)
     
    someone, Nov 23, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Neuner

    Assign static IPs to port of a managed switch

    Christian Neuner, Jun 24, 2005, in forum: Cisco
    Replies:
    1
    Views:
    1,079
    Walter Roberson
    Jun 24, 2005
  2. Replies:
    3
    Views:
    4,015
  3. Port scans. What are these?

    , Oct 18, 2005, in forum: Computer Security
    Replies:
    7
    Views:
    957
    ROBERT S AMP BA Drake
    Oct 23, 2005
  4. Replies:
    1
    Views:
    889
    Plato
    Aug 26, 2006
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,168
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page