04-02-2004, 02:11 AM | #1 (permalink) |
big damn hero
|
So someone is scanning my ports....
Hello all,
I've been noticing lately a rash of port scans directed at my system. I've been looking over the security log and notice that a lot of them are coming from the same place and scanning the same ports. I'm pretty confident in my setup; I'm just particularly paranoid about stuff like this. Is there a way for me to scare this guy into leaving me alone. I don't want to do anything harmful. I just want to send the message to infer that I know what your doing and it would be "better to step off, bitch." I'm not exactly a novice, but lack the "mad haxor skillz" so feel free to dumb things down a bit.
__________________
No signature. None. Seriously. |
04-02-2004, 08:05 AM | #3 (permalink) |
Psycho
Location: ask your mom
|
i'm having the same issues at work... i reported to the source's ISP abuse@ address... and got an autoresponder message saying they'll "look into it", but they won't be contacting or replying to my email.
__________________
aaarrrrrgggghhhh!!!! |
04-02-2004, 11:50 AM | #7 (permalink) |
Darth Papa
Location: Yonder
|
Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.
The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken. Block the IP, be sure those ports are closed at the firewall, and get on with your life. |
04-02-2004, 12:13 PM | #8 (permalink) | |
beauty in the breakdown
Location: Chapel Hill, NC
|
Quote:
__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." --Plato |
|
04-02-2004, 12:33 PM | #9 (permalink) | |||
big damn hero
|
Quote:
Quote:
Quote:
As for the ports they've been blocked off for a while. I guess I could just block his IP addy and "get on with my life." I thank you for the "help."
__________________
No signature. None. Seriously. |
|||
04-02-2004, 02:54 PM | #10 (permalink) |
Thor
Location: 33:08:12N 117:10:23W
|
I didn't read into ratbastid's reply what you seemed to read. My answer would have been very similar to his. I've been know to IP block specific users who constantly hit me.
Is everything ok? Is it a bad day or something? Seriously...
__________________
~micah |
04-03-2004, 06:45 PM | #11 (permalink) |
Psycho
Location: Boston, MAss., USA
|
Here's what you can do. Go to
http://www.hcidata.com/host2ip.htm and look up the host/domain from the IP address. Use whois to find the domain registrar's tech contact. You can also use abuse.org & try a lookup for an abuse e-mail for the domain. Send a polite note asking about the port scanning. If you don't get a reposne, sign the tech contact up for porn site e-mail mailing lists. That'll get their attention. (just kidding)
__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet. |
04-03-2004, 09:33 PM | #12 (permalink) | |
big damn hero
|
Quote:
Something just wasn't adding up, so I called my local techsupport and found a fellow who directed me to this...It's a variation of an older worm. Reporting it would do no good as it doesn't matter where it's coming from because it spoofs the source IP address. (at least that's my understanding....) In my log, the source IP address was from the same chunk as mine. In fact, after a few disconnects one of the source IPs was one I had recently used. Anyway, here are the links that I dug up on it for what it's worth.... http://www.dslreports.com/forum/remark,9614903 http://isc.sans.org/diary.php?date=2004-04-01
__________________
No signature. None. Seriously. |
|
04-04-2004, 07:17 AM | #14 (permalink) | |
Darth Papa
Location: Yonder
|
Quote:
Unless you have some reason to think you're a target (and ego aside, 99% of us home users have no reason to think that), there's probably nothing much to worry about. Provided you've taken appropriate precautions, of course, like running a closed, well-monitored firewall. If you're swiss cheese for every worm that comes along, you're probably not somebody who notices port scans anyway.... |
|
04-04-2004, 08:05 PM | #16 (permalink) | |
Irresponsible
|
Quote:
The legality of it really depends on where you live, and where the system you're scanning is. I don't think post scanning is actualy illegal at lease in the US, but it DOES violates the terms of service of most ISPs.
__________________
I am Jack's signature. |
|
04-05-2004, 11:19 AM | #17 (permalink) | |
big damn hero
|
Quote:
__________________
No signature. None. Seriously. |
|
04-05-2004, 05:04 PM | #18 (permalink) |
Crazy
|
Interesting thread. Simply b/c I have seen similar port scanning on my home system from time to time, and never had any idea as to what to do. Good to hear some constructive advices/ideas from people.
I think I'll be a bit more active from now on and block individial IPs, and just hope that i never have to download anything from them. |
04-06-2004, 10:59 AM | #19 (permalink) |
Thor
Location: 33:08:12N 117:10:23W
|
My Astaro firewall has a neat port-scan detection option: It'll blackhole the IP automatically for 7-days (which is good in case the scanner was using dialup - I don't want to permanently block normal users from my web site / mail server, etc.).
__________________
~micah |
Tags |
ports, scanning |
|
|