So someone is scanning my ports....
 

Hello all,

I've been noticing lately a rash of port scans directed at my system. I've been looking over the security log and notice that a lot of them are coming from the same place and scanning the same ports.

I'm pretty confident in my setup; I'm just particularly paranoid about stuff like this.

Is there a way for me to scare this guy into leaving me alone. I don't want to do anything harmful. I just want to send the message to infer that I know what your doing and it would be "better to step off, bitch." :)

I'm not exactly a novice, but lack the "mad haxor skillz" so feel free to dumb things down a bit. :lol:

could always just report the IP to its isp/tld, any other methods I know of simply are not legal :P

i'm having the same issues at work... i reported to the source's ISP abuse@ address... and got an autoresponder message saying they'll "look into it", but they won't be contacting or replying to my email.

find out who it is first. I'm betting it's a company associated with software or the entertainment industry.

scan back?

Scanning ports isn't illegal, is it? What good would it do to report it to the ISP?

Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.

The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken.

Block the IP, be sure those ports are closed at the firewall, and get on with your life.

What he said. I wouldnt worry about it.

I've done that and gotten the same response. I know nothing will come of it, but what the hell?

I hadn't thought of that, but you might be right. Thanks.

You give advice with such disdain. I'm not one to take to flights of fancy. I get hits all the time concerning the firewall, but they're random and never make more than a handful of entries. This "guy" has several pages dedicated to "him." I was just curious if there was a way to make myself a little more conspicuous or at least scare him off. I'm dreadfully sorry. :rolleyes:

As for the ports they've been blocked off for a while. I guess I could just block his IP addy and "get on with my life." I thank you for the "help."

I didn't read into ratbastid's reply what you seemed to read. My answer would have been very similar to his. I've been know to IP block specific users who constantly hit me.

Is everything ok? Is it a bad day or something? Seriously...

Here's what you can do. Go to
http://www.hcidata.com/host2ip.htm
and look up the host/domain from the IP address. Use whois to find the domain registrar's tech contact. You can also use abuse.org & try a lookup for an abuse e-mail for the domain. Send a polite note asking about the port scanning.

If you don't get a reposne, sign the tech contact up for porn site e-mail mailing lists. That'll get their attention. (just kidding)

It was a bad day couple of days and I owe Ratbastid an apology.

Something just wasn't adding up, so I called my local techsupport and found a fellow who directed me to this...It's a variation of an older worm. Reporting it would do no good as it doesn't matter where it's coming from because it spoofs the source IP address. (at least that's my understanding....)

In my log, the source IP address was from the same chunk as mine. In fact, after a few disconnects one of the source IPs was one I had recently used.

Anyway, here are the links that I dug up on it for what it's worth....

http://www.dslreports.com/forum/remark,9614903
http://isc.sans.org/diary.php?date=2004-04-01

Is this "local techsupport" guy from your ISP? I ask because my ISP routinely port scans me to ensure that I am following my terms of service (technically, I'm not suppost to be hosting any "services," like a web server)...

Which he very kindly sent to me in a PM, and which I've responded to. I was pretty flip in my response, to tell the truth. But I've been there--a weird new behavior shows up in my logs, and I freak right out, only to find out later that it's the such-and-so worm...

Unless you have some reason to think you're a target (and ego aside, 99% of us home users have no reason to think that), there's probably nothing much to worry about. Provided you've taken appropriate precautions, of course, like running a closed, well-monitored firewall. If you're swiss cheese for every worm that comes along, you're probably not somebody who notices port scans anyway....

actually, scanning ports is illegal

Can you back that statement up?

The legality of it really depends on where you live, and where the system you're scanning is.

I don't think post scanning is actualy illegal at lease in the US, but it DOES violates the terms of service of most ISPs.

Yeah, he is. Turns out we were in the same Cisco certification classes at the college. He assures me it's not them and directed me to links I posted above.

Interesting thread. Simply b/c I have seen similar port scanning on my home system from time to time, and never had any idea as to what to do. Good to hear some constructive advices/ideas from people.
I think I'll be a bit more active from now on and block individial IPs, and just hope that i never have to download anything from them.

My Astaro firewall has a neat port-scan detection option: It'll blackhole the IP automatically for 7-days (which is good in case the scanner was using dialup - I don't want to permanently block normal users from my web site / mail server, etc.).