Port scan attempts

Discussion in 'Computer Security' started by Ravi, Dec 22, 2003.

  1. Ravi

    Ravi Guest

    "Date: 22/12/2003 Time: 22:52:16 (GMT +5:30)
    Port scan detected from address 206.204.10.200.
    Blocked further access for 30 minutes after detecting at
    least 6 ports being probed."

    Is there a way I can report abouse for this?

    It appears that I must report abuse to:


    but that address is invalid - I believe.

    So what can I do?
     
    Ravi, Dec 22, 2003
    #1
    1. Advertisements

  2. Ravi

    Bit Twister Guest

    Let's see,
    host 206.204.10.200
    200.10.204.206.in-addr.arpa domain name pointer security.symantec.com.

    Hmm, belongs to symantec.com

    I bet there may be a Contact Us in their web page http://symantec.com/
     
    Bit Twister, Dec 22, 2003
    #2
    1. Advertisements


  3. abuse?

    it's not illegal to port scan. get over it.

    # nslookup 206.204.10.200

    Name: security.symantec.com
    Address: 206.204.10.200



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Dec 22, 2003
    #3
  4. Ravi

    Mimic Guest

    heh i got busted once for portscanning :(

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Dec 22, 2003
    #4
  5. Ahem. Depends on where you're scanning from.

    IIRC, you can get prosecuted for using too-strong encryption in France, or
    for saving POP IP addresses in Germany.. in the UK it *will* get your
    account pulled (assuming that the AUP team have been injected with that
    yellow stuff that they used in /Reanimator/)

    To the OP: read comments, think about said comments, learn.. it's a good
    order to do things ;o)

    H1K
     
    Hairy One Kenobi, Dec 23, 2003
    #5
  6. Ravi

    Bit Twister Guest

    Bit Twister, Dec 23, 2003
    #6
  7. Ravi

    James H. Fox Guest

    You can try the myNetWatchman service (http://www.mynetwatchman.com) to
    automatically report scans. They consolidate reports from a number of users
    and screen them so that only the signficant ones are actually reported. I
    use it with logging from a hardware firewall and a cable modem, but it will
    also work with logs from various software firewalls. I don't know if it is
    practical with a dial-up modem.
     
    James H. Fox, Dec 23, 2003
    #7
  8. Ravi

    Guest

    Welcome to the Internet. I get scanned a number of times a day, and scan
    anyone connecting to my machine in a suspicious manner. I've got a
    database of all the scans using NLog, so big I had to install mySQL just
    to keep them straight. No one's ever said a word to me. And besides,
    there's always _passive_ scanning and icmp-based scanning ;)

    Most ISP's, when contacted, do nothing about real break-in attempts, let
    alone a mesley portscan. And then there's legit uses too- IRCd's
    routinely portscan 23, 80, 8080, 3168 looking for open proxies. If
    you're auto-blocking them, and the scan-site has the same IP as the host
    site, you will be blocking your users from using IRC at all (which you
    may or may not want to do). In short, unless it becomes a pattern form
    the same IP# over and over, let it slide .


    --

    =-=-=.:|DISTRIBUTION|PROGRAMMING|RESEARCH|PORTAL|:.-=-=
    [jayjwa] RLF#37 Raq glenaal: Nffnfvangr Ovyy Tngrf
    [Atr2 Labs] Jvaqbjf vf n qvfrnfr
    Finger for proj. "Putting encryption to good use."
    =Linux Tough.Powered By Slackware=-HTTPS|FTP|SILC|SSH-=
     
    , Dec 23, 2003
    #8
  9. Ravi

    Rowdy Yates Guest

    I was happily strolling along my merry little way in alt.computer.security,
    when I looked down and saw a little note from Ravi on Mon 22 Dec 2003
    A port scan does not constitue hostile activity. is could be anything. If you
    can prove that there is a pattern to the scan that indicates that they are
    trying to get in, then.....

    most hack attempts are preempted by multiple reconnisance activity that has a
    discernable pattern. a passive host based IDS can log that information for
    you.
     
    Rowdy Yates, Dec 23, 2003
    #9
  10. Ravi

    Ravi Guest

    If that is correct then my mistake!
    I actually asked them to scan my ports using their security
    check site.

    But then is not the abuse address that I wrote correct?

    TIA.
     
    Ravi, Dec 23, 2003
    #10

  11. you're an idiot.

    go ahead folks, find some small way to state this guy isn't an idiot....
    I dare you.... he ASK symantec to scan him, then he REPORTS them for
    abuse....



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Dec 23, 2003
    #11
  12. Ravi

    Ravi Guest

    Hey everone makes mistakes!
    I did not know it was symantec's ip!
     
    Ravi, Dec 23, 2003
    #12
  13. Ravi

    Ravi Guest

    I have already posted a response. I have no idea why it has not appeared.
    Any way all I said was that everyone can make a mistake.

    I did not know the ip belonged to symantec.

    Now I am posting this from linux I just hope this appears!
     
    Ravi, Dec 23, 2003
    #13
  14. Ravi

    Bit Twister Guest

    I do not remember the commands to check if the email account is valid.

    You report abuse to the ISP who owns the offending ip address.

    If it comes from a business, I contact them first, if it continues,
    then I contact their ISP.
     
    Bit Twister, Dec 23, 2003
    #14
  15. Ravi

    Ravi Guest

    I got this information:

    OrgName: ConXioN Corporation
    OrgID: CONX
    Address: 4201 Burton Drive
    City: Santa Clara
    StateProv: CA
    PostalCode: 95054
    Country: US

    NetRange: 206.204.0.0 - 206.204.255.255
    CIDR: 206.204.0.0/16
    NetName: CONXION
    NetHandle: NET-206-204-0-0-1
    Parent: NET-206-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.CONXION.NET
    NameServer: NS2.CONXION.NET
    NameServer: NS3.CONXION.NET
    NameServer: NS4.CONXION.NET
    Comment:
    RegDate: 1995-07-17
    Updated: 2002-12-19

    AbuseHandle: ABUSE150-ARIN
    AbuseName: Abuse
    AbusePhone: +1-408-566-8500
    AbuseEmail:

    TechHandle: CO-ORG-ARIN
    TechName: ConXioN
    TechPhone: +1-408-566-8500
    TechEmail:

    # ARIN WHOIS database, last updated 2003-12-01 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS
    database.

    OrgName: ConXioN Corporation
    OrgID: CONX
    Address: 4201 Burton Drive
    City: Santa Clara
    StateProv: CA
    PostalCode: 95054
    Country: US
    Comment:
    RegDate: 1995-04-19
    Updated: 2001-12-17

    # ARIN WHOIS database, last updated 2003-12-01 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS
    database.

    So I think the abuse address is right? And actually there is
    no mention of symantec.
     
    Ravi, Dec 23, 2003
    #15
  16. Ravi

    Bit Twister Guest

    Well the abuse is a valid ip address alright.
    You are correct.
    symantec has the ip address.
    You asked who was the ISP provider for symantec's ip address.
     
    Bit Twister, Dec 23, 2003
    #16
  17. Ravi

    Ravi Guest

    This is an automatically generated Delivery Status
    Notification. Delivery to the following recipients failed
    due to a permanent error.

    <>:
    12.158.34.245 does not like recipient.
    Remote host said: 550 5.1.1 <>... User
    unknown Giving up on 12.158.34.245.
     
    Ravi, Dec 24, 2003
    #17
  18. Ravi

    Bit Twister Guest

    You are correct, it is broke. Maybe conxion.net outsouced
    it offshore.

    Maybe you could goto http://www.conxion.net and see if there is a
    place to tell them about the email problem. Or thy mailing them a
    letter.
     
    Bit Twister, Dec 24, 2003
    #18
  19. Ravi

    Ravi Guest

    Ok. You appear to be posting from:
    United States
    California
    Los Angeles

    Is that correct?

    Why have you not set your tz to
    -08:00
    ?
     
    Ravi, Dec 24, 2003
    #19
  20. Ravi

    Bit Twister Guest

    Ummm, I posted from 24.1.212.248. Dallas TX.
    My clock says
    date
    Tue Dec 23 23:01:09 CST 2003

    of if you like
    date --utc
    Wed Dec 24 05:01:39 UTC 2003

    Do you think the time you see is the time the newsserver has???
     
    Bit Twister, Dec 24, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.