Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 04-02-2004, 02:11 AM   #1 (permalink)
big damn hero
 
guthmund's Avatar
 
So someone is scanning my ports....

Hello all,

I've been noticing lately a rash of port scans directed at my system. I've been looking over the security log and notice that a lot of them are coming from the same place and scanning the same ports.

I'm pretty confident in my setup; I'm just particularly paranoid about stuff like this.

Is there a way for me to scare this guy into leaving me alone. I don't want to do anything harmful. I just want to send the message to infer that I know what your doing and it would be "better to step off, bitch."

I'm not exactly a novice, but lack the "mad haxor skillz" so feel free to dumb things down a bit.
__________________
No signature. None. Seriously.
guthmund is offline  
Old 04-02-2004, 04:46 AM   #2 (permalink)
Metal and Rock 4 Life
 
Destrox's Avatar
 
Location: Phoenix
could always just report the IP to its isp/tld, any other methods I know of simply are not legal :P
__________________
You bore me.... next.
Destrox is offline  
Old 04-02-2004, 08:05 AM   #3 (permalink)
Psycho
 
soopafreek's Avatar
 
Location: ask your mom
i'm having the same issues at work... i reported to the source's ISP abuse@ address... and got an autoresponder message saying they'll "look into it", but they won't be contacting or replying to my email.
__________________
aaarrrrrgggghhhh!!!!
soopafreek is offline  
Old 04-02-2004, 09:52 AM   #4 (permalink)
Tone.
 
shakran's Avatar
 
find out who it is first. I'm betting it's a company associated with software or the entertainment industry.
shakran is offline  
Old 04-02-2004, 09:53 AM   #5 (permalink)
Poo-tee-weet?
 
JStrider's Avatar
 
Location: The Woodlands, TX
scan back?
__________________
-=JStrider=-

~Clatto Verata Nicto
JStrider is offline  
Old 04-02-2004, 11:43 AM   #6 (permalink)
Banned from being Banned
 
Location: Donkey
Scanning ports isn't illegal, is it? What good would it do to report it to the ISP?
__________________
I love lamp.
Stompy is offline  
Old 04-02-2004, 11:50 AM   #7 (permalink)
Darth Papa
 
ratbastid's Avatar
 
Location: Yonder
Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.

The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken.

Block the IP, be sure those ports are closed at the firewall, and get on with your life.
ratbastid is offline  
Old 04-02-2004, 12:13 PM   #8 (permalink)
beauty in the breakdown
 
Location: Chapel Hill, NC
Quote:
Originally posted by ratbastid
Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.

The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken.

Block the IP, be sure those ports are closed at the firewall, and get on with your life.
What he said. I wouldnt worry about it.
__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato
sailor is offline  
Old 04-02-2004, 12:33 PM   #9 (permalink)
big damn hero
 
guthmund's Avatar
 
Quote:
Originally posted by soopafreek
i'm having the same issues at work... i reported to the source's ISP abuse@ address... and got an autoresponder message saying they'll "look into it", but they won't be contacting or replying to my email.
I've done that and gotten the same response. I know nothing will come of it, but what the hell?

Quote:
Originally posted by shakran
find out who it is first. I'm betting it's a company associated with software or the entertainment industry.
I hadn't thought of that, but you might be right. Thanks.

Quote:
Originally posted by ratbastid
Unless you've got some reason to be a target for a cracker, the odds are very good it's just a trojaned/wormed machine launching an automated attack, looking to worm your machine.

The "guy" you want to "scare" is an 83 year old retired CPA and his wife. They live in Hoboken.

Block the IP, be sure those ports are closed at the firewall, and get on with your life.
You give advice with such disdain. I'm not one to take to flights of fancy. I get hits all the time concerning the firewall, but they're random and never make more than a handful of entries. This "guy" has several pages dedicated to "him." I was just curious if there was a way to make myself a little more conspicuous or at least scare him off. I'm dreadfully sorry.

As for the ports they've been blocked off for a while. I guess I could just block his IP addy and "get on with my life." I thank you for the "help."
__________________
No signature. None. Seriously.
guthmund is offline  
Old 04-02-2004, 02:54 PM   #10 (permalink)
Thor
 
micah67's Avatar
 
Location: 33:08:12N 117:10:23W
I didn't read into ratbastid's reply what you seemed to read. My answer would have been very similar to his. I've been know to IP block specific users who constantly hit me.

Is everything ok? Is it a bad day or something? Seriously...
__________________
~micah
micah67 is offline  
Old 04-03-2004, 06:45 PM   #11 (permalink)
Psycho
 
Location: Boston, MAss., USA
Here's what you can do. Go to
http://www.hcidata.com/host2ip.htm
and look up the host/domain from the IP address. Use whois to find the domain registrar's tech contact. You can also use abuse.org & try a lookup for an abuse e-mail for the domain. Send a polite note asking about the port scanning.

If you don't get a reposne, sign the tech contact up for porn site e-mail mailing lists. That'll get their attention. (just kidding)
__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet.
JohnnyRoyale is offline  
Old 04-03-2004, 09:33 PM   #12 (permalink)
big damn hero
 
guthmund's Avatar
 
Quote:
Originally posted by micah67
Is everything ok? Is it a bad day or something? Seriously...
It was a bad day couple of days and I owe Ratbastid an apology.

Something just wasn't adding up, so I called my local techsupport and found a fellow who directed me to this...It's a variation of an older worm. Reporting it would do no good as it doesn't matter where it's coming from because it spoofs the source IP address. (at least that's my understanding....)

In my log, the source IP address was from the same chunk as mine. In fact, after a few disconnects one of the source IPs was one I had recently used.

Anyway, here are the links that I dug up on it for what it's worth....

http://www.dslreports.com/forum/remark,9614903
http://isc.sans.org/diary.php?date=2004-04-01
__________________
No signature. None. Seriously.
guthmund is offline  
Old 04-04-2004, 02:30 AM   #13 (permalink)
 
KnifeMissile's Avatar
 
Location: Waterloo, Ontario
Is this "local techsupport" guy from your ISP? I ask because my ISP routinely port scans me to ensure that I am following my terms of service (technically, I'm not suppost to be hosting any "services," like a web server)...
KnifeMissile is offline  
Old 04-04-2004, 07:17 AM   #14 (permalink)
Darth Papa
 
ratbastid's Avatar
 
Location: Yonder
Quote:
Originally posted by guthmund
It was a bad day couple of days and I owe Ratbastid an apology.
Which he very kindly sent to me in a PM, and which I've responded to. I was pretty flip in my response, to tell the truth. But I've been there--a weird new behavior shows up in my logs, and I freak right out, only to find out later that it's the such-and-so worm...

Unless you have some reason to think you're a target (and ego aside, 99% of us home users have no reason to think that), there's probably nothing much to worry about. Provided you've taken appropriate precautions, of course, like running a closed, well-monitored firewall. If you're swiss cheese for every worm that comes along, you're probably not somebody who notices port scans anyway....
ratbastid is offline  
Old 04-04-2004, 12:35 PM   #15 (permalink)
Psycho
 
bacon_masta's Avatar
 
Location: i live in the state of denial
Quote:
Originally posted by Stompy
Scanning ports isn't illegal, is it? What good would it do to report it to the ISP?
actually, scanning ports is illegal
bacon_masta is offline  
Old 04-04-2004, 08:05 PM   #16 (permalink)
Irresponsible
 
yotta's Avatar
 
Quote:
Originally posted by bacon_masta
actually, scanning ports is illegal
Can you back that statement up?

The legality of it really depends on where you live, and where the system you're scanning is.

I don't think post scanning is actualy illegal at lease in the US, but it DOES violates the terms of service of most ISPs.
__________________
I am Jack's signature.
yotta is offline  
Old 04-05-2004, 11:19 AM   #17 (permalink)
big damn hero
 
guthmund's Avatar
 
Quote:
Originally posted by KnifeMissle
Is this "local techsupport" guy from your ISP? I ask because my ISP routinely port scans me to ensure that I am following my terms of service (technically, I'm not suppost to be hosting any "services," like a web server)...
Yeah, he is. Turns out we were in the same Cisco certification classes at the college. He assures me it's not them and directed me to links I posted above.
__________________
No signature. None. Seriously.
guthmund is offline  
Old 04-05-2004, 05:04 PM   #18 (permalink)
Crazy
 
Interesting thread. Simply b/c I have seen similar port scanning on my home system from time to time, and never had any idea as to what to do. Good to hear some constructive advices/ideas from people.
I think I'll be a bit more active from now on and block individial IPs, and just hope that i never have to download anything from them.
panbert is offline  
Old 04-06-2004, 10:59 AM   #19 (permalink)
Thor
 
micah67's Avatar
 
Location: 33:08:12N 117:10:23W
My Astaro firewall has a neat port-scan detection option: It'll blackhole the IP automatically for 7-days (which is good in case the scanner was using dialup - I don't want to permanently block normal users from my web site / mail server, etc.).
__________________
~micah
micah67 is offline  
 

Tags
ports, scanning


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 03:57 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360