|
|||||||
| Off-Topic Forum A place to chill and relax ... |
 |
|
|
Thread Tools |
Nov 7, 2003, 01:01 PM
|
#1 |
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0  |
port scan attack
if this is in the wrong place, sorry, please move it.
I just had mcafee firewall pop up to say it has intercepted a port scan attack. So i tried to trace it and it traced to 195.188.152.16. details: Name: Unknown IP Address: 195.188.152.16 Location: Knowsley (53.450N, 2.850W) Network: RIPE-CBLK3 Registrant contact information is not available. I cant ping the address and the firewall cant get a lot of info. I don't know what to do. Can anyone advise me. cheers! |
|
|
|
Nov 7, 2003, 01:12 PM
|
#2 |
|
Banned
Join Date: May 2002
Posts: 2,092
Rep Power: 0 
|
Port scan in itself is harmless i'm getting those 10x a day (20 @ weekends)
usually a few trojans attack too, but being firewalled means don't worry 'bout them as long as you keep your stuff upto date ofcourse. 
|
|
|
|
|
Nov 7, 2003, 01:12 PM
|
#3 |
|
Live from the Dungeon
Join Date: May 2003
Location: Between the SubWoofers
Posts: 1,395
Rep Power: 0
|
If your firewall is up and no ports are open you have noting to worry about... my network at home gets port scanned 20+ times a day.. and no it isn't a light port scan... we are talking a hard core port scan... In my logs I have traced a port scan for over 2 hrs from the same IP. If you have a good firewall you have nothing to worry about. You can report the IP Go Here . Personally I would rather use a hardware firewall then a software one. Look into a router or something. Or if you are the Tinkering type like me get an old PC and go Here and get this Corp level firewall software. It is free to home users and takes a little bit to set up but it will be like being behind Ft. Knox. I have used it for 7 months now and it is the best I can have at home just short of buying a Cisco PIX firewall.....
 But in the end.. if your system is behind a firewall you should be good.
|
|
|
|
|
Nov 7, 2003, 01:17 PM
|
#4 | |
|
Obvious Closet Brony Pony
|
..... i've registers up to 1000 port attacks... and a dozen infutrating attacks (blocked).... in one day..... my pipe is so huge that everyone is trying to take advantage of me..... My router auto disconnects the net if it registers a few to many hardcore attacks just to be safe....... i've set it this way so i know what is happening....
__________________
Quote:
|
|
|
|
|
Nov 7, 2003, 01:18 PM
|
#5 | |
|
Obvious Closet Brony Pony
|
BTW, logla..... did this happen while browsing dh?.... as i and a few others have come across an unloaded add trying to do something weird....(might not be an ad)
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:19 PM
|
#6 | |
|
Obvious Closet Brony Pony
|
http://www.hardwareheaven.com/showthre...threadid=30040 ...... Maybe an admin can merge this thread into that link.... and maybe change the title to suit.....
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:19 PM
|
#7 |
|
Boney Admin
Join Date: Nov 2003
Location: somewhere over the rainbow
Posts: 659
Rep Power: 59  |
as the guys before me said nothing really to worry about but here is the info from that IP.
inetnum: 195.188.0.0 - 195.188.255.255 netname: UK-CABLEINET-960703 descr: PROVIDER descr: Cable Internet Ltd country: GB admin-c: CS82-RIPE admin-c: SL3595-RIPE tech-c: MG645-RIPE tech-c: SB5110-RIPE status: ALLOCATED PA notify: ripe@telewest.net mnt-by: RIPE-NCC-HM-MNT mnt-lower: AS5462-MNT mnt-routes: AS5462-MNT changed: hostmaster@ripe.net 19960703 changed: hostmaster@ripe.net 19980916 changed: hostmaster@ripe.net 19981110 changed: hostmaster@ripe.net 19990824 changed: hostmaster@ripe.net 20010112 changed: hostmaster@ripe.net 20020220 changed: hostmaster@ripe.net 20020422 changed: hostmaster@ripe.net 20020423 changed: hostmaster@ripe.net 20020613 changed: hostmaster@ripe.net 20020624 source: RIPE route: 195.188.0.0/16 descr: Telewest Broadband descr: UK Broadband ISP origin: AS5462 notify: ripe@telewest.net mnt-by: AS5462-MNT remarks: report abuse to abuse@blueyonder.co.uk remarks: All reports via other channels will be ignored. changed: ripe-admin@blueyonder.co.uk 20020709 source: RIPE person: Chris Stallwood address: Telewest Communications address: Unit 1, Genesis Business Park address: Woking, Surrey GU21 5RW address: United Kingdom phone: +44 1483 295 227 fax-no: +44 1483 251 810 e-mail: chris.stallwood@telewest.co.uk nic-hdl: CS82-RIPE notify: chris.stallwood@telewest.co.uk changed: at-dom.admin@nic.at 20000225 source: RIPE person: Steve Layzell address: Telewest address: Genesis Business Park address: Woking address: Surrey phone: +44 1483 750 900 e-mail: steve.layzell@blueyonder.co.uk nic-hdl: SL3595-RIPE notify: mike@cableinet.net changed: mike@cableinet.net 20010108 source: RIPE person: Steve Brocklebank address: Telewest address: Genesis Business Park address: Woking address: Surrey phone: +44 1483 750 900 e-mail: sb@cableinet.net nic-hdl: SB5110-RIPE notify: sb@cableinet.co.uk changed: sb@cableinet.net 19990908 source: RIPE person: Mike Garrett address: Telewest Communications (Cable Internet) address: Genesis Busines Park address: Woking, Surrey address: GU21 5RW phone: +44 1483 776796 fax-no: +44 1483 251 810 e-mail: mike@cableinet.net nic-hdl: MG645-RIPE changed: mike@cableinet.net 20010426 source: RIPE
__________________
How you can help DriverHeaven by using Digg! |
|
|
|
|
Nov 7, 2003, 01:22 PM
|
#8 | |
|
Obvious Closet Brony Pony
|
is that me...or does that look like it came from an ISP? Logla, is that YOUR ISP?
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:30 PM
|
#9 |
|
Still watching...
Join Date: Nov 2002
Location: Orihuela (Spain)
Posts: 1,560
Rep Power: 0
|
Most of the attacks i get come from my adsl provider, nothing to worry about though, scaning clients ports is part of their protocol
__________________
 "They who dream by day are cognizant of many things which escape those who dream only by night."
|
|
|
|
|
Nov 7, 2003, 01:35 PM
|
#10 | |
|
Obvious Closet Brony Pony
|
what are they doing that for?.... i've never registered a port scan from mine......
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:40 PM
|
#11 |
|
Live from the Dungeon
Join Date: May 2003
Location: Between the SubWoofers
Posts: 1,395
Rep Power: 0
|
I have Road RUnner and their policy is if you have a web or mail server they will do a weekly scan of your system to make sure it is secure, mainly the mail server. I have both so I get scanned by them weekly.... the funny part is they got mad because my mail server is TOO secure and they can't do a full scan of it...hehehehe gotta love security.
|
|
|
|
|
Nov 7, 2003, 01:44 PM
|
#12 | |
|
Obvious Closet Brony Pony
|
lol..they got mad?..... they phoned you or something?
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:45 PM
|
#13 | |
|
Obvious Closet Brony Pony
|
BTW, if anyone really wants to get into someones machine..... they can piggy back the e-mail...... nasty... hard...but can be done....
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:47 PM
|
#14 |
|
Live from the Dungeon
Join Date: May 2003
Location: Between the SubWoofers
Posts: 1,395
Rep Power: 0
|
No they sent me an e-mail (their security team) and asked me to tone down my mail server security so they could do a full scan. I replied by saying "No I will not back down my security for your scans because that would defeat the purpose of having security"
They never did respond.......
|
|
|
|
|
Nov 7, 2003, 01:47 PM
|
#15 | |
|
Obvious Closet Brony Pony
|
lol
__________________
Quote:
|
|
|
|
|
|
Nov 7, 2003, 01:50 PM
|
#16 |
|
Still watching...
Join Date: Nov 2002
Location: Orihuela (Spain)
Posts: 1,560
Rep Power: 0
|
lol, good response..
__________________
"They who dream by day are cognizant of many things which escape those who dream only by night."
|
|
|
|
|
Nov 7, 2003, 03:37 PM
|
#17 |
|
HardwareHeaven Extreme Member
|
ports sacan are agenst all isp's tos and can be a fineable offence allways report them!
__________________
|
|
|
|
|
Nov 7, 2003, 03:50 PM
|
Thread Starter
#18
|
|
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0 |
Quote:
Skull, I used the firewall to find the info on the IP and I got the following: OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL ReferralServer: whois://whois.ripe.net NetRange: 195.0.0.0 - 195.255.255.255 CIDR: 195.0.0.0/8 NetName: RIPE-CBLK3 NetHandle: NET-195-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS.RIPE.NET NameServer: NS2.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH03.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1996-03-25 Updated: 2003-09-19 TechHandle: RIPE-NCC-ARIN TechName: RIPE NCC Hostmaster TechPhone: +31 20 535 4444 TechEmail: search-ripe-ncc-not-arin@ripe.net OrgTechHandle: RIPE-NCC-ARIN OrgTechName: RIPE NCC Hostmaster OrgTechPhone: +31 20 535 4444 OrgTechEmail: search-ripe-ncc-not-arin@ripe.net ARIN WHOIS database, last updated 2003-11-06 19:15 Enter ? for additional hints on searching ARIN's WHOIS database. |
|
|
|
|
|
Nov 7, 2003, 03:58 PM
|
#19 |
|
Boney Admin
Join Date: Nov 2003
Location: somewhere over the rainbow
Posts: 659
Rep Power: 59 |
your own ISP doing a port scan is common place, its nothing sinister, they can be running network checks, if your firewall is properly configured you have nothing to worry about anyway. get yourself a decent hardware router/firewall. I dont trust software for firewalling.
__________________
How you can help DriverHeaven by using Digg! |
|
|
|
|
Nov 7, 2003, 04:04 PM
|
#20 | ||
|
HH Old Fuddy Duddy
|
With DSL and Cable I've gotten similar activity when they send a Lease Renewal. In some cases I've had to reset my router....which clones my MAC address.
But, the activity mentioned in that other thread I started was REALLY bad. I almost couldn't respond to a thread because the page kept reloading. It was fixed pretty quick, though.
__________________
Quote:
Quote:
|
||
|
|
|
|
Nov 7, 2003, 04:45 PM
|
Thread Starter
#21
|
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0 |
Well it seems to have stopped now. I reported it anyway.
|
|
|
|
|
Nov 7, 2003, 05:22 PM
|
Thread Starter
#22
|
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0 |
Erm, something strange here, I just noticed that the IP address that is scanning my pc is the one that shows in the ip logged part of each of my posts. Sure I am not scanning my own ports? am I?
BTW, this is not the ip address assigned to my machine as reported in IPconfig |
|
|
|
|
Dec 1, 2003, 11:39 PM
|
Thread Starter
#23
|
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0 |
And now it gets even better.
My firewall reported tonight that I had been subjected to a 'Jolt attack' from IP 82.41.193.102 This looks like another one of my ISPs servers but I can't be sure. This has only happened since I blocked the IP that was perpertrating the port scan attack. If I try to report this to my ISPs abuse email address I get an automated email saying that I should not email their address. The Joys, the joys 
|
|
|
|
|
Dec 2, 2003, 12:25 AM
|
#24 | |
|
Obvious Closet Brony Pony
|
.......i would report your ISP then.....
__________________
Quote:
|
|
|
|
|
|
Dec 2, 2003, 09:07 AM
|
Thread Starter
#25
|
|
HardwareHeaven Extreme Member
Join Date: May 2003
Posts: 3,311
Rep Power: 0 |
who to?
|
|
|
|
|
Dec 2, 2003, 09:31 AM
|
#26 |
|
A Legend in Underwear
Join Date: May 2002
Location: Unknown
Posts: 5,255
Rep Power: 0 |
I get scanned by my ISP for open relays (like email for example) every 30 minutes or so. This is common practice so they can warn and then shut down people with very poorly configured PC's.
I bet that in your T&C's somewhere is an entry allowing your ISP to do this.
__________________
Gentoo Linux - Developer (baselayout) Read my blog "I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours." Stephen Roberts |
|
|
|
|
Dec 2, 2003, 09:40 AM
|
#27 |
|
DriverHeaven Senior Member
Join Date: Jun 2003
Location: USA
Posts: 2,761
Rep Power: 0
|
Chief... try this:
Grab yourself Zonealarm PRO - non of this Mcafee trash.  You where right about that monkey, he lives in the U.K  You can contact the ISp on this number: 
__________________
The nine most terrifying words in the English language are, "I'm from the government and I'm here to help." |
|
|
|
|
Dec 2, 2003, 10:45 AM
|
#28 | |
|
unplugged
|
Quote:
__________________
|
|
|
|
|
|
Dec 2, 2003, 12:22 PM
|
#29 |
|
DriverHeaven Senior Member
Join Date: Jun 2003
Location: USA
Posts: 2,761
Rep Power: 0
|
Yeah but it aint Mcafee firewall! Its a DNS tracer.
__________________
The nine most terrifying words in the English language are, "I'm from the government and I'm here to help." |
|
|
|
|
Dec 2, 2003, 12:36 PM
|
#30 | |
|
unplugged
|
Quote:
Is the free zone alarm pretty good for a software firewall? I just installed it for the first time. I haven't been using any but windows firewall so far with no problems for 3 years.. But I keep things up to date. I'm getting poppups every 3 seconds saying that zonealarm is blocking things, pretty cool. I'll be shutting off the notifications soon, but it's cool to see that it's doing something. 22 alerts in the first 5 minutes. I take it there is no need to run XP's firewall with zone alarm running correct? Cause I'm not. ******************************************* NeoTrace Trace Version 3.25 Results Target: 82.36.202.87 Date: 12/2/2003 (Tuesday), 8:07:10 am Nodes: 2 Node Data Node Net Reg IP Address Location Node Name 2 1 1 82.36.202.87 Birmingham 82-36-202-87.cable.ubr02.sutt.blueyonder.co.uk Packet Data Node High Low Avg Tot Lost 2 ---- ---- ---- 2 2 Network Data Network id#: 1 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL ReferralServer: whois://whois.ripe.net NetRange: 82.0.0.0 - 82.255.255.255 CIDR: 82.0.0.0/8 NetName: 82-RIPE NetHandle: NET-82-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS.RIPE.NET NameServer: NS3.NIC.FR NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: SUNIC.SUNET.SE NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2002-11-23 Updated: 2003-09-19 OrgTechHandle: RIPE-NCC-ARIN OrgTechName: RIPE NCC Hostmaster OrgTechPhone: +31 20 535 4444 OrgTechEmail: search-ripe-ncc-not-arin@ripe.net ARIN WHOIS database, last updated 2003-12-01 19:15 Registrant Data Registrant id#: 1 Domain Name: blueyonder.co.uk Registrant: Telewest Communications PLC Administrative Contact's Address: Cable Internet Ltd. Unit 2 Genesis Busines Park Woking Surrey GU21 5RW Registrant's Agent: Telewest Communications Plc [Tag = TELEWEST] URL: http://www.telewest.co.uk Relevant Dates: Registered on: 19-Oct-1999 Renewal Date: 19-Oct-2003 Last updated: 28-Mar-2002 Registration Status: Renewal invoice being processed. Name servers listed in order: ns.blueyonder.co.uk 195.188.53.114 ns2.blueyonder.co.uk 195.188.53.113 ns3.cableinet.net 194.117.152.85 WHOIS database last updated at 12:49:59 02-Dec-2003 -- (c) Nominet UK For further information and terms of use please see http://www.nic.uk/whois _____ NeoTrace Copyright ©1997-2001 NeoWorx Inc ************************************************** ************* keeps trying to scan me.
__________________
Last edited by BWX; Dec 2, 2003 at 01:05 PM. |
|
|
|
|
|
| Thread Tools | |
|
|
