Security Basics mailing list archives
Re: Repeated Port Scan
From: Rich Franklin <rlfranklin2 () ameritech net>
Date: 30 Jun 2003 07:38:04 -0000
In-Reply-To: <5.2.1.1.2.20030625162812.00a6f710 () mail comcast net> The IP addresses that you listed show up as the following; Network Information for 66.230.230.115 Neucom, Inc. NEUCOM (NET-66-230-192-0-1) 66.230.192.0 - 66.230.239.255 NetTuner Corporation (Webmasters.com) WEBMASTERS-20031402 (NET-66-230-230- 0-1) 66.230.230.0 - 66.230.230.255 # ARIN WHOIS database, last updated 2003-06-29 21:05 # Enter ? for additional hints on searching ARIN's WHOIS database. Network Information for 192.168.254.156 OrgName: Internet Assigned Numbers Authority OrgID: IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US NetRange: 192.168.0.0 - 192.168.255.255 CIDR: 192.168.0.0/16 NetName: IANA-CBLK1 NetHandle: NET-192-168-0-0-1 Parent: NET-192-0-0-0-0 NetType: IANA Special Use NameServer: BLACKHOLE-1.IANA.ORG NameServer: BLACKHOLE-2.IANA.ORG Comment: This block is reserved for special purposes. Comment: Please see RFC 1918 for additional information. Comment: RegDate: 1994-03-15 Updated: 2002-09-16 OrgTechHandle: IANA-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-823-9358 OrgTechEmail: res-ip () iana org # ARIN WHOIS database, last updated 2003-06-29 21:05 # Enter ? for additional hints on searching ARIN's WHOIS database. As to the port scan, make sure that all possiblie services are shut down, and then run netstat -a at a dos prompt to see if those same services are still running. XP is know to have services running in the middle too upper end for ports. Hope this information helps you. Rich
I've been getting port scans from the same IP address for 3 days. It is not scanning continuously but will usually scan me every 2 hours for a
few
hours. When I do a whois on the address it doesn't give much
information
on who to contact about abuse. I'm thinking that the computer scanning
me
has been compromised and is looking for other computers to infect. The source port is random but the local port is not. It scans to see if
ports
1075, 3128, 4588, 6588, and 8080 are open. I ran retina against the machine and its running a default install of Apache without much
anything
configured. The Sequence # of the packets are always 666666 and all
have
the SYN flag set. Does anybody know of any worms or Trojans that scan
for
these ports and have these features? Also, if whois doesn't give much information how can I find out who to contact about this? I've attached some of the packets that I've captured, along with the whois information. Any help is appreciated. TIA
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Repeated Port Scan compguruman (Jun 27)
- <Possible follow-ups>
- RE: Repeated Port Scan John Choe (Jun 27)
- Re: Repeated Port Scan Rich Franklin (Jun 30)
- RE: Repeated Port Scan compguruman (Jun 30)