Port scans. What are these?

Discussion in 'Computer Security' started by kmtanner@cyberspace.org, Oct 18, 2005.

  1. Guest

    Hi people. I get constant & regular port scans from these IP
    addresses:

    61.137.117.208
    61.233.40.205
    61.237.29.102
    61.237.3.70
    61.235.144.86

    Severity: Minor
    Direction: Incoming
    Protocol: UDP

    ARIN and RIPE whois servers don't give any information about any
    of these addresses. It kinda bugs me because they're constant
    scans. Probably caused by some application I've installed (like
    automatic update check or...)

    Could anyone enlighten me? Thanks in advance.
    , Oct 18, 2005
    #1
    1. Advertising

  2. Anders Guest

    wrote:
    > Hi people. I get constant & regular port scans from these IP
    > addresses:
    >
    > 61.137.117.208
    > 61.233.40.205
    > 61.237.29.102
    > 61.237.3.70
    > 61.235.144.86
    >
    > Severity: Minor
    > Direction: Incoming
    > Protocol: UDP
    >
    > ARIN and RIPE whois servers don't give any information about any
    > of these addresses. It kinda bugs me because they're constant
    > scans. Probably caused by some application I've installed (like
    > automatic update check or...)
    >
    > Could anyone enlighten me? Thanks in advance.
    >


    It looks like it is China messenger spam to me, are they using udp on
    port 1026,1027 it probable is.

    61.137.117.208
    61.137.0.0 - 61.137.127.255
    netname: CHINANET-HN
    country: CN
    descr: CHINANET Hunan province network
    descr: China Telecom

    61.233.40.205
    61.233.40.0 - 61.233.40.255
    netname: CRHbYqS
    country: CN
    descr: China Railcom Hebei Yangquan Subbranch
    descr: Telecommunication

    61.237.29.102
    61.232.0.0 - 61.237.255.255
    netname: CRTC
    country: CN
    descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
    admin-c: LQ112-AP
    tech-c: LM273-AP
    status: ALLOCATED PORTABLE

    61.237.3.70
    61.232.0.0 - 61.237.255.255
    netname: CRTC
    country: CN
    descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
    admin-c: LQ112-AP
    tech-c: LM273-AP
    status: ALLOCATED PORTABLE

    61.235.144.86
    61.232.0.0 - 61.237.255.255
    netname: CRTC
    country: CN
    descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
    admin-c: LQ112-AP
    tech-c: LM273-AP
    status: ALLOCATED PORTABLE
    Anders, Oct 18, 2005
    #2
    1. Advertising

  3. Guest

    Anders wrote:
    > wrote:

    [...]
    > It looks like it is China messenger spam to me, are they using udp on
    > port 1026,1027 it probable is.


    This is the information I got:

    =============insert
    Somebody is scanning your computer.
    Your computer's UDP ports:
    1028, 1029, 1030, and 4081 have been scanned from 61.137.117.208..
    =============outsert

    Thanks a lot for your help.
    , Oct 18, 2005
    #3
  4. Guest

    Oh btw Anders: What service did you use to get the information? RIPE
    doesn't
    work well for me...
    , Oct 18, 2005
    #4
  5. <> wrote in message
    news:...
    > Oh btw Anders: What service did you use to get the information? RIPE
    > doesn't
    > work well for me...


    There are more than two rings in the Olympic symbol (hint!)

    Google for APNIC, then either follow that up with a more general registrar
    search, or download the appropriate software.

    I cook my own, but many are available. codecutters.org. YMMV, I don't
    exactly stay up nights doing wonderful and interesting things with
    interfaces (Erm.. /software/ interfaces, that is. Cough! :eek:)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Oct 19, 2005
    #5
  6. Anders Guest

    wrote:
    > Oh btw Anders: What service did you use to get the information? RIPE
    > doesn't
    > work well for me...
    >


    "Network Tools" a nice little tool in Linux useing whois.net

    Anders
    Anders, Oct 19, 2005
    #6
  7. Interested Guest

    On 18 Oct 2005, wrote:
    >Hi people. I get constant & regular port scans from these IP
    >addresses:
    >
    >61.137.117.208
    >61.233.40.205
    >61.237.29.102
    >61.237.3.70
    >61.235.144.86
    >
    >Severity: Minor
    >Direction: Incoming
    >Protocol: UDP
    >
    >ARIN and RIPE whois servers don't give any information about any
    >of these addresses. It kinda bugs me because they're constant
    >scans. Probably caused by some application I've installed (like
    >automatic update check or...)
    >
    >Could anyone enlighten me? Thanks in advance.


    Go to: http://www.dnsstuff.com/

    For example this is what WHOIS Lookup shows for 61.137.117.208
    There is no PTR for it so it is likely a dynamic IP. Could very well be a
    hack attempt. Certainly not a lgitamate site or there would be a PTR record
    for it.

    WHOIS results for 61.137.117.208
    Generated by www.DNSstuff.com
    Location: China [City: China, Beijing]

    ARIN says that this IP belongs to APNIC; I'm looking it up there.


    Using 2 day old cached answer (or, you can get fresh results).
    Hiding E-mail address (you can get results with the E-mail address).

    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 61.137.0.0 - 61.137.127.255
    netname: CHINANET-HN
    country: CN
    descr: CHINANET Hunan province network
    descr: China Telecom
    descr: A12,Xin-Jie-Kou-Wai Street
    descr: Beijing 100088
    admin-c: CH93-AP
    tech-c: YX69-AP
    status: ALLOCATED NON-PORTABLE
    changed: *****@chinatelecom.com.cn 20050825
    mnt-by: MAINT-CHINANET
    source: APNIC

    person: Chinanet Hostmaster
    address: No.31 ,jingrong street,beijing
    address: 100032
    country: CN
    phone: +86-10-66027112
    fax-no: +86-10-58501144
    e-mail: **********@ns.chinanet.cn.net
    e-mail: *********@ns.chinanet.cn.net
    nic-hdl: CH93-AP
    mnt-by: MAINT-CHINANET
    changed: **********@ns.chinanet.cn.net 20021016
    remarks: hostmaster is not for spam complaint,please send spam
    complaint to *********@ns.chinanet.cn.net
    source: APNIC

    person: Yali Xiao
    address: Hunan Data Communication Bureau No.9 middle wuyi road
    ChangSha city,Hunan ,P.R.China 410011
    country: CN
    phone: +86-731-2260079
    fax-no: +86-731-2265549
    e-mail: ****@hnpta.net.cn
    nic-hdl: YX69-AP
    mnt-by: MAINT-CHINANET-HUNAN
    changed: ****@hndcb.hnpta.net.cn 20010523
    source: APNIC


    The Reverse DNS shows no PTR record meaning it is not legitamate.

    Reverse DNS for 61.137.117.208
    Generated by www.DNSstuff.com
    Location: China [City: China, Beijing]

    Preparation:
    The reverse DNS entry for an IP is found by reversing the IP, adding it to
    "in-addr.arpa", and looking up the PTR record.
    So, the reverse DNS entry for 61.137.117.208 is found by looking up the PTR
    record for
    208.117.137.61.in-addr.arpa.
    All DNS requests start by asking the root servers, and they let us know
    what to do next.
    See How Reverse DNS Lookups Work for more information.

    How I am searching:
    Asking a.root-servers.net for 208.117.137.61.in-addr.arpa PTR record:
    a.root-servers.net says to go to tinnie.arin.net. (zone:
    61.in-addr.arpa.)
    Asking tinnie.arin.net. for 208.117.137.61.in-addr.arpa PTR record:
    Reports that no PTR records exist [from 69.25.34.195].

    Answer:
    No PTR records exist for 61.137.117.208. [Neg TTL=172800 seconds]

    Details:
    tinnie.arin.net. (an authoritative nameserver for 61.in-addr.arpa., which
    is in charge of the reverse DNS for 61.137.117.208)
    says that there are no PTR records for 61.137.117.208.

    To get reverse DNS set up for 61.137.117.208, you need to speak to your
    Internet provider. You could also
    check with ., who is in
    charge of the 61.in-addr.arpa. zone.

    Note that all Internet accessible hosts are expected to have a reverse DNS
    entry (per RFC1912 2.1),
    and many mailservers (such as AOL) will likely block E-mail from
    mailservers with no reverse DNS entry.
    To see the reverse DNS traversal, to make sure that all DNS servers are
    reporting the correct results, you can Click Here.
    Interested, Oct 23, 2005
    #7
  8. This one works very well to find out the origin of the IP:

    http://www.samspade.org/

    "Anders" <> wrote in message
    news:qPl5f.148613$...
    > wrote:
    >> Oh btw Anders: What service did you use to get the information? RIPE
    >> doesn't
    >> work well for me...
    >>

    >
    > "Network Tools" a nice little tool in Linux useing whois.net
    >
    > Anders
    ROBERT S AMP BA Drake, Oct 23, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Drake

    Sick of port scans

    James Drake, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    434
    -= Hawk =-
    Apr 12, 2004
  2. Daniel Damlin

    scans on port 1910, why?

    Daniel Damlin, Jan 27, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    474
    Daniel Damlin
    Jan 27, 2004
  3. Steve-O

    Port 1840 Scans

    Steve-O, Mar 2, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    1,307
    David Norris
    Mar 2, 2004
  4. Chris H.

    Port Scans from my ISP Range

    Chris H., Jan 19, 2005, in forum: Computer Security
    Replies:
    2
    Views:
    526
    donnie
    Jan 20, 2005
  5. Muzzy
    Replies:
    6
    Views:
    563
    Moe Trin
    Mar 24, 2006
Loading...

Share This Page