I need some objective minds in a little scenario. Ok this actually happened but I like to know what do you think when you see this on your router
Quote:
Fri Jul 8 21:44:22 2011
=>Found attack from 60.173.10.27.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 22:05:01 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 3246 which use the TCP protocol.
Fri Jul 8 22:05:01 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8090 which use the TCP protocol.
Fri Jul 8 22:05:01 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8118 which use the TCP protocol.
Fri Jul 8 22:15:20 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 22:16:52 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 22:16:52 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 8000 which use the TCP protocol.
Fri Jul 8 22:16:52 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 2301 which use the TCP protocol.
Fri Jul 8 22:36:29 2011
=>Found attack from 111.221.89.51.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 22:55:05 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 8080 which use the TCP protocol.
Fri Jul 8 22:57:39 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 23:12:06 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 2479 which use the TCP protocol.
Fri Jul 8 23:12:06 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Fri Jul 8 23:12:06 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 8090 which use the TCP protocol.
Fri Jul 8 23:32:14 2011
=>Found attack from 111.221.89.51.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 23:36:52 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 2301 which use the TCP protocol.
Fri Jul 8 23:37:53 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 23:37:53 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 8008 which use the TCP protocol.
Fri Jul 8 23:37:53 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 8088 which use the TCP protocol.
Fri Jul 8 23:39:56 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Fri Jul 8 23:59:33 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8090 which use the TCP protocol.
Fri Jul 8 23:59:33 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 1080 which use the TCP protocol.
Fri Jul 8 23:59:33 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8000 which use the TCP protocol.
Sat Jul 9 00:20:13 2011
=>Found attack from 111.221.89.51.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sat Jul 9 00:21:45 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sat Jul 9 00:41:22 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 8085 which use the TCP protocol.
Sat Jul 9 00:41:22 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Sat Jul 9 00:41:22 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Sat Jul 9 00:52:12 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 1080 which use the TCP protocol.
Sat Jul 9 00:52:12 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 6588 which use the TCP protocol.
Sat Jul 9 00:56:19 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 8085 which use the TCP protocol.
Sat Jul 9 00:56:19 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 9415 which use the TCP protocol.
|
A quick Google of the Ip gimme the following
IP address information:
Quote:
WHOIS Source: APNIC
IP Address: 58.218.199.147
Country: China
Network Name: CHINANET-JS
Owner Name: CHINANET jiangsu province network
From IP: 58.208.0.0
To IP: 58.223.255.255
Allocated: Yes
Contact Name: Chinanet Hostmaster
Address: No.31 ,jingrong street,beijing, 100032
Email: anti-spam@ns.chinanet.cn.net
Abuse Email:
Phone: +86-10-58501724
Fax: +86-10-58501724
WHOIS Record:
% [whois.apnic.net node-5]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.208.0.0 - 58.223.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20050624
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
|
http://www.magic-net.info/blacklist_...14%202011.html
Complaint lodged for 58.218.199.147 are a lot of people complaining bout the same ip port scanning. I assume its picked up by their routers firewall. Heres the list
http://www.liveipmap.com/58.218.199.147
Complaint lodged for 58.218.199.147
Dated back from 7 months ago to couple of weeks.
Then I came across this thread of another user picking up the following
http://forums.majorgeeks.com/showthread.php?t=229454
Quote:
21:33:42 Administrator IP-BLOCK 221.192.199.49 (incoming) China Unicom Hebei province network
22:20:12 Administrator IP-BLOCK 222.186.25.33 ( incoming) CHINANET jiangsu province network
23:08:09 Administrator IP-BLOCK 221.192.199.49 incoming) China Unicom Hebei province network
23:23:30 Administrator IP-BLOCK 58.218.199.147 (incoming) CHINANET jiangsu province network
00:48:36 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
00:48:38 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
00:48:44 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
02:44:02 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
02:44:02 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
10:32:36 (null) MESSAGE Protection started successfully
10:34:36 Administrator MESSAGE IP Protection started successfully
11:13:21 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
11:35:28 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
11:44:47 (null) MESSAGE Protection started successfully
11:46:30 Administrator MESSAGE IP Protection started successfully
12:51:20 Administrator IP-BLOCK 125.46.39.23 (Type: incoming)
14:01:49 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
14:26:29 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
14:26:30 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
14:26:30 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
16:50:03 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
17:18:45 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
|
Luckily Avira notified him and he had it checked out.
The thread was also bout 8 months ago.
Further one the following was found on his pc
Quote:
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\WINDOWS\system32\drivers\etc\tmvsthfss.bin
C:\WINDOWS\system32\drivers\etc\tmvsthfud.bin<---Rootkit
Its driver files
aswArKrn
TMPassthruMP
|
Now is it a stupid hacker using the same old ip for months on end or does that IP look like something part of a botnet or would you dismiss it as a plain and normal port scan?
July 9th, 2011, 06:04 PM
Need some Input
