PDA

View Full Version : isp port scanning



jtw00
08-05-2001, 02:52 AM
I use ZA and getting alerts on average
one every two minutes from the domain
from which I have service. Different
IP's but all originating from the same
domain. Scanning different ports.

Mr.Byte, what might your accessment be? Any good reason for this you know?
Appreciate any help from anyone.
jtw

MrByte
08-05-2001, 11:17 AM
My guess is that there is a script kiddie, or several ones, who scan the computers in your ISP's netblock trying to find a security hole, such as open NetBIOS shares or a trojan like BackOrifice. If they find such computer(s), they'll try to break in and steal your account's password or some private info. That's what most of the attackers try to do:-) Usually they're not looking for a particular person.

When I use a dial-up connection, I often get similar portscans as well.

What ports do they try to access?

Blacksheep
08-05-2001, 02:32 PM
jtw00...

Another possibility is there may be a worm in ISP netblock scanning without human intervention.

If you are running ZA Pro you can block all IPs in ISP netblock except those you need, i.e. DNS and mail IPs.

jtw00
08-05-2001, 02:36 PM
The firewall has blocked Internet access to your computer (HTTP) from ***.**.**.***(TCP Port 4*62).
This is one I just got. There are many
ports they use such as ,24**,45*2,*6*5,
2000,20*7,40*4.

Some refer to "Netbios" scan. You are saying that there's no logical reason
an isp would have for doing it?
IS there anyway for the isp to determine who's behind it?
What's the difference between an Http
scan and a Netbios?
My appologies for so many questions.
Thanks a bunch,
jtw

jtw00
08-05-2001, 02:44 PM
Thanks Blacksheep,
I was just posting as you was and
didn't see your post until after.
I wrote to "abuse@myisp" last night
with a long list of alerts hoping they
will look in to it.
As I write this I have received over
a dozen alerts. The worm you speak of
seems like a possibility.
Going now to see about ZApro.
Muchus thanks,
jtw

MrByte
08-05-2001, 04:43 PM
The firewall has blocked Internet access to your computer (HTTP) from ***.**.**.***(TCP Port 4*62).
This is one I just got. There are many
ports they use such as ,24**,45*2,*6*5,
2000,20*7,40*4.


Ok, so the attacker is trying to connect to your HTTP port from his port 4*62 (in fact, his port is not important). HTTP connects are *very* frequent these days, becuase thousands of web servers are infected with the Code Red worm. I myself get over *0 such scans every day. I wouldn't worry.



Some refer to "Netbios" scan. You are saying that there's no logical reason
an isp would have for doing it?

Your ISP itself? I doubt it, they already have your password and read your mail without any problems:-) But your ISP's ********s, users like you and me, might do it.



IS there anyway for the isp to determine who's behind it?

Behind the attacks? Yes, if the IP addresses belong to their netblock. But there are two problems here:

*. They might not be interested in investigating this. These problems are too minor.

2. What exactly are you going to report? That someone tried to connect to your HTTP port? So what? People will scan ports, no matter what you do. In most jurisdictions it's legal. You can't stop them all. If I had reported all such portscans, I'd have spent all my time writing letters to abuse@whatever.isp. In **% of the cases I just ignore such portscans because they cannot affect the security and connectivity of my system. In *% of the cases, where I see that the attacker is dedicated and/or dangerous, or he/she is flooding my system, I might decide to report the case, or just counterattack.




What's the difference between an Http
scan and a Netbios?

An HTTP scan is an attempt to find out if you have a web server running. Since you are not running it, this portscan won't hurt your system.

A NetBIOS scan is an attempt to find out if you have shared resources available, such as disks, folders, or printers. If you do have shared folders, make sure that they are password-protected and your password is really unusual. If memory serves me, a NetBIOS password is max. *4 characters long and is not case-sensitive, so mixing case won't help. Also, be sure to apply the latest patches for your OS, because a bug in the NetBIOS implementation under Win*x allows a malicious user to gain access to your shares very quickly, regardless of your password.



My appologies for so many questions.
Thanks a bunch,


No problem, glad to help.

MrByte

jtw00
08-05-2001, 06:38 PM
I've just purchased ZA pro. Seems to
have a lot of options.
I tried blocking the whole netblock
the alerts are coming from but unfortunately I am in it.
I'm getting about *0 an hour.

Blacksheep wrote,
"Another possibility is there may be a worm in ISP netblock scanning without human intervention."

If there is a worm in the netblock,
wouldn't the isp want to know? I do.

While looking for ZA pro I came across
an alert about a vulnerability in ZA.

http://www.securitynewsportal.com/article.php?sid=4*&mode=thread&order=0

Maybe all the more reason to find out if a worm exists in netblock.

Any links to "countering" anyone?
Muchos Gratias,
jtw

jtw00
08-06-2001, 01:19 AM
Quote
"I myself get over *0 such scans every day"

I just downloaded a program and left.
When I returned * hours later, had **6
scans.
I have ran ZA for a year. I've had 4
different isp's. *0 scans or less a
day is what I have been use to, also. I
am just wondering why for about a month
and a half, the number has increased
sharply.

I do know that at the same time,
my isp changed who they wholesale from
and my ip changed to a different netblock.


jtw

Blacksheep
08-06-2001, 09:23 PM
Most quotes are from jtw00:

"I've just purchased ZA pro. Seems to
have a lot of options.
I tried blocking the whole netblock
the alerts are coming from but unfortunately I am in it."

You must not block your ISP's DNS (domain name server) and mail server IPs. If you don't know what IPs they are, these instructions are for dial-up, Win*X:

DNS IPs; My Computer- Dial-Up Networking- right click ISP- properties- Server Types- TCP/IP Settings

Mail server IP; try a whois on mail.yourISP.com

If above doesn't work for you, you can call ISP techie.

"If there is a worm in the netblock,
wouldn't the isp want to know?"

Maybe. My old ISP didn't give a shi~. But, you could contact your ISP and offer your firewall logs. I found a worm in a biz network not long ago. Sysadmin was happy I alerted him but sad it was in his network. Took him 2 weeks to kill it in all his comps.

"While looking for ZA pro I came across
an alert about a vulnerability in ZA.

http://www.securitynewsportal.com/a...=thread&order=0 "

Interesting link...
This is a Win*X OS vulnerability (Thanks Bill) whereby any running process can be terminated without any warning to user. A remote control backdoor already exploits this Win OS flaw and can kill several firewalls and anti-virus progs if it gets in your comp. Don't let it in.;-) Be careful what progs you give firewall permission to. Don't click on cracker links.

"Maybe all the more reason to find out if a worm exists in netblock."

Like Mr Byte says: "In **% of the cases I just ignore such portscans because they cannot affect the security and connectivity of my system. In *% of the cases, where I see that the attacker is dedicated and/or dangerous, or he/she is flooding my system, I might decide to report the case, or just counterattack."

I think most of these hits are machine generated- not a guy at a key***rd attacking you personally.

If you gotta good firewall, anti-virus, you can relax a little. For me, a good packet sniffer is also indispensable.

http://www.tamos.com/products/commview/

P.S.
I didn't mention the name of the "terminate process" trojan because all kinds of people read this forum- hackers, crackers, script kiddies, virus writers, sysadmins, LEA, government agents, gurus, newbies... let the bad guys find their own tools.

Also, if you have a really crappy ISP, he might scan you from DNS and/or mail IPs; but, ZA will catch it.