guthmund

Hello all,

I've been noticing lately a rash of port scans directed at my system. I've been looking over the security log and notice that a lot of them are coming from the same place and scanning the same ports.

I'm pretty confident in my setup; I'm just particularly paranoid about stuff like this.

Is there a way for me to scare this guy into leaving me alone. I don't want to do anything harmful. I just want to send the message to infer that I know what your doing and it would be "better to step off, bitch."

I'm not exactly a novice, but lack the "mad haxor skillz" so feel free to dumb things down a bit.

__________________
No signature. None. Seriously.

Destrox

could always just report the IP to its isp/tld, any other methods I know of simply are not legal :P

__________________
You bore me.... next.

soopafreek

i'm having the same issues at work... i reported to the source's ISP abuse@ address... and got an autoresponder message saying they'll "look into it", but they won't be contacting or replying to my email.

__________________
aaarrrrrgggghhhh!!!!

shakran

find out who it is first. I'm betting it's a company associated with software or the entertainment industry.

JStrider

scan back?

__________________
-=JStrider=-

~Clatto Verata Nicto

Stompy

Scanning ports isn't illegal, is it? What good would it do to report it to the ISP?

__________________
I love lamp.

ratbastid

Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.

The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken.

Block the IP, be sure those ports are closed at the firewall, and get on with your life.

sailor

What he said. I wouldnt worry about it.

__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato

guthmund

I've done that and gotten the same response. I know nothing will come of it, but what the hell?

I hadn't thought of that, but you might be right. Thanks.

You give advice with such disdain. I'm not one to take to flights of fancy. I get hits all the time concerning the firewall, but they're random and never make more than a handful of entries. This "guy" has several pages dedicated to "him." I was just curious if there was a way to make myself a little more conspicuous or at least scare him off. I'm dreadfully sorry.

As for the ports they've been blocked off for a while. I guess I could just block his IP addy and "get on with my life." I thank you for the "help."

__________________
No signature. None. Seriously.

micah67

I didn't read into ratbastid's reply what you seemed to read. My answer would have been very similar to his. I've been know to IP block specific users who constantly hit me.

Is everything ok? Is it a bad day or something? Seriously...

__________________
~micah

JohnnyRoyale

Here's what you can do. Go to
http://www.hcidata.com/host2ip.htm
and look up the host/domain from the IP address. Use whois to find the domain registrar's tech contact. You can also use abuse.org & try a lookup for an abuse e-mail for the domain. Send a polite note asking about the port scanning.

If you don't get a reposne, sign the tech contact up for porn site e-mail mailing lists. That'll get their attention. (just kidding)

__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet.

guthmund

It was a bad day couple of days and I owe Ratbastid an apology.

Something just wasn't adding up, so I called my local techsupport and found a fellow who directed me to this...It's a variation of an older worm. Reporting it would do no good as it doesn't matter where it's coming from because it spoofs the source IP address. (at least that's my understanding....)

In my log, the source IP address was from the same chunk as mine. In fact, after a few disconnects one of the source IPs was one I had recently used.

Anyway, here are the links that I dug up on it for what it's worth....

http://www.dslreports.com/forum/remark,9614903
http://isc.sans.org/diary.php?date=2004-04-01

__________________
No signature. None. Seriously.

KnifeMissile

Is this "local techsupport" guy from your ISP? I ask because my ISP routinely port scans me to ensure that I am following my terms of service (technically, I'm not suppost to be hosting any "services," like a web server)...

ratbastid

Which he very kindly sent to me in a PM, and which I've responded to. I was pretty flip in my response, to tell the truth. But I've been there--a weird new behavior shows up in my logs, and I freak right out, only to find out later that it's the such-and-so worm...

Unless you have some reason to think you're a target (and ego aside, 99% of us home users have no reason to think that), there's probably nothing much to worry about. Provided you've taken appropriate precautions, of course, like running a closed, well-monitored firewall. If you're swiss cheese for every worm that comes along, you're probably not somebody who notices port scans anyway....

bacon_masta

actually, scanning ports is illegal

yotta

Can you back that statement up?

The legality of it really depends on where you live, and where the system you're scanning is.

I don't think post scanning is actualy illegal at lease in the US, but it DOES violates the terms of service of most ISPs.

__________________
I am Jack's signature.

guthmund

Yeah, he is. Turns out we were in the same Cisco certification classes at the college. He assures me it's not them and directed me to links I posted above.

__________________
No signature. None. Seriously.

panbert

Interesting thread. Simply b/c I have seen similar port scanning on my home system from time to time, and never had any idea as to what to do. Good to hear some constructive advices/ideas from people.
I think I'll be a bit more active from now on and block individial IPs, and just hope that i never have to download anything from them.

micah67

My Astaro firewall has a neat port-scan detection option: It'll blackhole the IP automatically for 7-days (which is good in case the scanner was using dialup - I don't want to permanently block normal users from my web site / mail server, etc.).

__________________
~micah