Security Basics mailing list archives

Re: Repeated Port Scan

From: Rich Franklin <rlfranklin2 () ameritech net>
Date: 30 Jun 2003 07:38:04 -0000

In-Reply-To: <5.2.1.1.2.20030625162812.00a6f710 () mail comcast net>

The IP addresses that you listed show up as the following;
Network Information for 66.230.230.115
Neucom, Inc. NEUCOM (NET-66-230-192-0-1)
                                 66.230.192.0 - 66.230.239.255
NetTuner Corporation (Webmasters.com) WEBMASTERS-20031402 (NET-66-230-230-
0-1)
                                  66.230.230.0 - 66.230.230.255
# ARIN WHOIS database, last updated 2003-06-29 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

Network Information for 192.168.254.156


OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US
NetRange:   192.168.0.0 - 192.168.255.255
CIDR:       192.168.0.0/16
NetName:    IANA-CBLK1
NetHandle:  NET-192-168-0-0-1
Parent:     NET-192-0-0-0-0
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information.
Comment:
RegDate:    1994-03-15
Updated:    2002-09-16

OrgTechHandle: IANA-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-823-9358
OrgTechEmail:  res-ip () iana org
# ARIN WHOIS database, last updated 2003-06-29 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

As to the port scan, make sure that all possiblie services are shut down, 
and then run netstat -a at a dos prompt to see if those same services are 
still running.  XP is know to have services running in the middle too 
upper end for ports.

Hope this information helps you.

Rich


I've been getting port scans from the same IP address for 3 days.  It is 
not scanning continuously but will usually scan me every 2 hours for  a

few

hours.  When I do a whois on the address it doesn't give much

information

on who to contact about abuse.  I'm thinking that the computer scanning

me

has been compromised and is looking for other computers to infect.  The 
source port is random but the local port is not.  It scans to see if

ports

1075, 3128, 4588, 6588, and 8080 are open.  I ran retina against the 
machine and its running a default install of Apache without much

anything

configured.  The Sequence # of the packets are always 666666 and all

have

the SYN flag set.  Does anybody know of any worms or Trojans that scan

for

these ports and have these features?  Also, if whois doesn't give much 
information how can I find out who to contact about this?  I've attached 
some of the packets that I've captured, along with the whois 
information.  Any help is appreciated.

TIA


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Repeated Port Scan compguruman (Jun 27)
- <Possible follow-ups>
- RE: Repeated Port Scan John Choe (Jun 27)
- Re: Repeated Port Scan Rich Franklin (Jun 30)
- RE: Repeated Port Scan compguruman (Jun 30)