cactus
+ Reply to Thread
Results 1 to 9 of 9

Thread: isp port scanning

  1. #1
    jtw00 Guest
    I use ZA and getting alerts on average
    one every two minutes from the domain
    from which I have service. Different
    IP's but all originating from the same
    domain. Scanning different ports.

    Mr.Byte, what might your accessment be? Any good reason for this you know?
    Appreciate any help from anyone.
    jtw

  2. #2
    Join Date
    May 2001
    Posts
    121
    My guess is that there is a script kiddie, or several ones, who scan the computers in your ISP's netblock trying to find a security hole, such as open NetBIOS shares or a trojan like BackOrifice. If they find such computer(s), they'll try to break in and steal your account's password or some private info. That's what most of the attackers try to do:-) Usually they're not looking for a particular person.

    When I use a dial-up connection, I often get similar portscans as well.

    What ports do they try to access?

  3. #3
    Join Date
    May 2001
    Posts
    218

    isp port scanning

    jtw00...

    Another possibility is there may be a worm in ISP netblock scanning without human intervention.

    If you are running ZA Pro you can block all IPs in ISP netblock except those you need, i.e. DNS and mail IPs.
    Blacksheep

  4. #4
    jtw00 Guest
    The firewall has blocked Internet access to your computer (HTTP) from ***.**.**.***(TCP Port 4*62).
    This is one I just got. There are many
    ports they use such as ,24**,45*2,*6*5,
    2000,20*7,40*4.

    Some refer to "Netbios" scan. You are saying that there's no logical reason
    an isp would have for doing it?
    IS there anyway for the isp to determine who's behind it?
    What's the difference between an Http
    scan and a Netbios?
    My appologies for so many questions.
    Thanks a bunch,
    jtw

  5. #5
    jtw00 Guest
    Thanks Blacksheep,
    I was just posting as you was and
    didn't see your post until after.
    I wrote to "abuse@myisp" last night
    with a long list of alerts hoping they
    will look in to it.
    As I write this I have received over
    a dozen alerts. The worm you speak of
    seems like a possibility.
    Going now to see about ZApro.
    Muchus thanks,
    jtw

  6. #6
    Join Date
    May 2001
    Posts
    121

    The firewall has blocked Internet access to your computer (HTTP) from ***.**.**.***(TCP Port 4*62).
    This is one I just got. There are many
    ports they use such as ,24**,45*2,*6*5,
    2000,20*7,40*4.
    Ok, so the attacker is trying to connect to your HTTP port from his port 4*62 (in fact, his port is not important). HTTP connects are *very* frequent these days, becuase thousands of web servers are infected with the Code Red worm. I myself get over *0 such scans every day. I wouldn't worry.


    Some refer to "Netbios" scan. You are saying that there's no logical reason
    an isp would have for doing it?
    Your ISP itself? I doubt it, they already have your password and read your mail without any problems:-) But your ISP's ********s, users like you and me, might do it.


    IS there anyway for the isp to determine who's behind it?
    Behind the attacks? Yes, if the IP addresses belong to their netblock. But there are two problems here:

    *. They might not be interested in investigating this. These problems are too minor.

    2. What exactly are you going to report? That someone tried to connect to your HTTP port? So what? People will scan ports, no matter what you do. In most jurisdictions it's legal. You can't stop them all. If I had reported all such portscans, I'd have spent all my time writing letters to abuse@whatever.isp. In **% of the cases I just ignore such portscans because they cannot affect the security and connectivity of my system. In *% of the cases, where I see that the attacker is dedicated and/or dangerous, or he/she is flooding my system, I might decide to report the case, or just counterattack.



    What's the difference between an Http
    scan and a Netbios?
    An HTTP scan is an attempt to find out if you have a web server running. Since you are not running it, this portscan won't hurt your system.

    A NetBIOS scan is an attempt to find out if you have shared resources available, such as disks, folders, or printers. If you do have shared folders, make sure that they are password-protected and your password is really unusual. If memory serves me, a NetBIOS password is max. *4 characters long and is not case-sensitive, so mixing case won't help. Also, be sure to apply the latest patches for your OS, because a bug in the NetBIOS implementation under Win*x allows a malicious user to gain access to your shares very quickly, regardless of your password.


    My appologies for so many questions.
    Thanks a bunch,
    No problem, glad to help.

    MrByte

  7. #7
    jtw00 Guest

    counter-attack?

    I've just purchased ZA pro. Seems to
    have a lot of options.
    I tried blocking the whole netblock
    the alerts are coming from but unfortunately I am in it.
    I'm getting about *0 an hour.

    Blacksheep wrote,
    "Another possibility is there may be a worm in ISP netblock scanning without human intervention."

    If there is a worm in the netblock,
    wouldn't the isp want to know? I do.

    While looking for ZA pro I came across
    an alert about a vulnerability in ZA.

    [url]http://www.securitynewsportal.com/article.php?sid=4*&mode=thread&order=0[/url]

    Maybe all the more reason to find out if a worm exists in netblock.

    Any links to "countering" anyone?
    Muchos Gratias,
    jtw

  8. #8
    jtw00 Guest

    *0 a day



    Quote
    "I myself get over *0 such scans every day"

    I just downloaded a program and left.
    When I returned * hours later, had **6
    scans.
    I have ran ZA for a year. I've had 4
    different isp's. *0 scans or less a
    day is what I have been use to, also. I
    am just wondering why for about a month
    and a half, the number has increased
    sharply.

    I do know that at the same time,
    my isp changed who they wholesale from
    and my ip changed to a different netblock.


    jtw

  9. #9
    Join Date
    May 2001
    Posts
    218

    scans/hits from ISP netblock...

    Most quotes are from jtw00:

    "I've just purchased ZA pro. Seems to
    have a lot of options.
    I tried blocking the whole netblock
    the alerts are coming from but unfortunately I am in it."

    You must not block your ISP's DNS (domain name server) and mail server IPs. If you don't know what IPs they are, these instructions are for dial-up, Win*X:

    DNS IPs; My Computer- Dial-Up Networking- right click ISP- properties- Server Types- TCP/IP Settings

    Mail server IP; try a whois on mail.yourISP.com

    If above doesn't work for you, you can call ISP techie.

    "If there is a worm in the netblock,
    wouldn't the isp want to know?"

    Maybe. My old ISP didn't give a shi~. But, you could contact your ISP and offer your firewall logs. I found a worm in a biz network not long ago. Sysadmin was happy I alerted him but sad it was in his network. Took him 2 weeks to kill it in all his comps.

    "While looking for ZA pro I came across
    an alert about a vulnerability in ZA.

    [url]http://www.securitynewsportal.com/a...=thread&order=0[/url] "

    Interesting link...
    This is a Win*X OS vulnerability (Thanks Bill) whereby any running process can be terminated without any warning to user. A remote control backdoor already exploits this Win OS flaw and can kill several firewalls and anti-virus progs if it gets in your comp. Don't let it in.;-) Be careful what progs you give firewall permission to. Don't click on cracker links.

    "Maybe all the more reason to find out if a worm exists in netblock."

    Like Mr Byte says: "In **% of the cases I just ignore such portscans because they cannot affect the security and connectivity of my system. In *% of the cases, where I see that the attacker is dedicated and/or dangerous, or he/she is flooding my system, I might decide to report the case, or just counterattack."

    I think most of these hits are machine generated- not a guy at a key***rd attacking you personally.

    If you gotta good firewall, anti-virus, you can relax a little. For me, a good packet sniffer is also indispensable.

    [url]http://www.tamos.com/products/commview/[/url]

    P.S.
    I didn't mention the name of the "terminate process" trojan because all kinds of people read this forum- hackers, crackers, script kiddies, virus writers, sysadmins, LEA, government agents, gurus, newbies... let the bad guys find their own tools.

    Also, if you have a really crappy ISP, he might scan you from DNS and/or mail IPs; but, ZA will catch it.
    Last edited by Blacksheep; 08-07-2001 at 11:32 PM.
    Blacksheep

+ Reply to Thread

Similar Threads

  1. ip scanning and open port scanning.
    By protocl in forum Viruses and Trojans
    Replies: 11
    Last Post: 09-07-2007, 02:00 PM
  2. help on scanning please!
    By Unregistered in forum Internet Privacy
    Replies: 1
    Last Post: 07-31-2005, 04:29 PM
  3. is aol range scanning illegal?
    By Unregistered in forum Internet Privacy
    Replies: 17
    Last Post: 05-20-2005, 01:31 AM
  4. port 80 and port 8080
    By ted1546 in forum Proxies and Firewalls
    Replies: 1
    Last Post: 04-17-2005, 10:22 PM
  5. How can I see if I'm anonymous when scanning proxys?
    By Unregistered in forum Proxies and Firewalls
    Replies: 1
    Last Post: 12-09-2001, 03:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts