Listen to certain IP

Discussion in 'Trojan Defence Suite' started by Metallica, May 5, 2003.

Thread Status:
Not open for further replies.
  1. Metallica

    Metallica Guest

    Question: can I have TDS-3 or PE listen for traffic from a certain IP address. I´m being probed by someone and when I try to resolve his IP in PE I get for.information.see.proxyprotector.com
    I´d love to inform his provider, but don´t know where to turn. :mad:

    PS The ports being scanned are always different.
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi Metallica,
    I don't know what you exactly want, but if it is to get as much information you can get, the easiest way is the logfile from your firewall.
    Just put his IP in your blocked-list and everything will be logged.
    Dolf
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Metallica,
    welcome!
    Think you might like the TDS Traffic Bridge for that if you don't like to use the TCP connect or connect via SOCKS
    I see for instance in the PE GUI for the log analyser the last resolved IP, and i see the firewall itself, which i can put under spy for all in/out going packets, so i have now an IP connected to that process PID so i can spy on that and see what is sent in PE, as long as the process is there, but the parent is that loganalyser, and the packets received there, which can be from different IPs in the meantime.
    So if you want to keep to the IP alone you might prefer to use the TDS functions i mentioned, but also there you get only packets to spy on as long as you're connected.
    You might like to combine it with the TCP Port listen on the port that IP is currently connecte dto and you can for the outbound traffic change some data of course if you like.
    In the meantime an TDS interrogate scan to see which ports you can connect to for instance with the broadcast or using one of the emulators.
    If he for instance tries to connect to your 27374 chance you can connect there on his too.
    Hope you get the info you want!
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    Well, for me it seems that this address is probing you via a proxy. That means you will have little chance to find out his real IP-address (or his provider). I suggest that you open a port in TDS, he is trying to connect or pinging all the time. Then you can scare him to death... :D

    Otherwise it will be difficult to listen for traffic from a certain IP address. There's also another possibility, attack him as well (port scan) -like the Russians said: Attacking is the best defense... But it's not quite legal, so I won't explain you how to do that. ;)

    Best regards!

    Patrice
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If a portscanner finds a backtrace with you resolving them or pinging they know you are aware and many will just leave. If not, a very nice UDP broadcast "would you like fries and coke with that ma'am?" might help better than angry responses, and with the emulators, ahh you can play so nice................. but keep it nice in the first place!
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Metallica, As long as this probe is not affecting your internet performance & your firewall is doing the job, forget it.
    By returning to attack you will let him know that you are there for sure.
    I get hundreds of port probes a day from many sources usually compromised servers , my firewalls stop the probes so no worries. If you had a proper address you could send your log to abuse@whatever's ISP

    HTH Pilli
     
  7. Metallica

    Metallica Guest

    Not so fast. Imagine complete firewall illiterate willing to learn (that would be me). I figured he might be using a proxy and I don´t want him to get even more interested by struggling.
    When I noticed him yesterday I did as Pilli suggested (lots of sweeps come by like that), but two days in a row makes me curious and a little nervous.
    Please explain how to find out more or tell him I am aware of his interest and if this still will work on someone who is using a proxy.
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    Do you know which port he is probing? Check your firewall log for this. If you know the port, you can open it via TDS-3 -> Network -> TCP Port Listen. If you are completely unfamiliar with all that, just come back and let us know the port(s) he is probing, so that we can instruct you further. ;)

    Regards!

    Patrice
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    well, I had a quick look at this proxyprotector.com, and it seems not likely that this is an open proxy. Do you have his IP address or does it change a lot?
     
  10. Metallica

    Metallica Guest

    The ports being scanned vary, but I do have an IP.
    Can I post that here, without getting in trouble?
    If not: feel free to remove it. 64.201.104.2
     
  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Dollefie!

    Couldn't it be that the proxy he's using is one you can misuse? ;) That would explain why this site is shown. To be able to state the abuse of it.

    Regards,

    Patrice
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi,
    64.201.104.2 resolves to http://www.race.com/lipman/
    or Lipman Middle School.
    any bells ??
    Dolf
     
  13. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Actually I don't like that. There are five ports open and you can even connect to them... Is it a compromised system, used by someone with bad intentions? The system is based on a Apache Server (Unix).

    Anyone has other interesting informations or good suggestions?

    Regards,

    Patrice
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Whoisses to

    OrgName: Race Technologies
    OrgID: RACE
    Address: 101 Haskins Way
    City: South San Francisco
    StateProv: CA
    PostalCode: 94080
    Country: US

    NetRange: 64.201.96.0 - 64.201.111.255
    CIDR: 64.201.96.0/20
    NetName: RACETECH
    NetHandle: NET-64-201-96-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.RACE.COM
    NameServer: NS2.RACE.COM
    Comment:
    RegDate: 2002-10-10
    Updated: 2002-10-10

    OrgTechHandle: TECH3-ARIN
    OrgTechName: Tech
    OrgTechPhone: +1-650-246-8900
    OrgTechEmail: webmaster@race.com

    OrgNOCHandle: IPADM26-ARIN
    OrgNOCName: IP Admin
    OrgNOCPhone: +1-650-246-8900
    OrgNOCEmail: ipadmin@race.com

    OrgAbuseHandle: ABUSE65-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-650-246-8900
    OrgAbuseEmail: abuse@race.com

    # ARIN WHOIS database, last updated 2003-05-04 20:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    ===================
    So you do have an abuse@
    That for.... seems indeed the DNS hostname if you trace it.
     
  15. Metallica

    Metallica Guest

    Are you pondering what I´m pondering? Some school´s server being used as a drone? Well, there is an addy at their site. I think it´s best to inform them someone (in- or outside) is using their server. Objections?
     
  16. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    just be sure you include their IP adress so they know it's from them.
    Dolf
     
  17. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    No objections, that's a good idea! But let 'em know what they should do (using TDS-3 & do a full system scan). And let 'em know also how they can protect themselves in future! ;)

    Greetings!

    Patrice
     
  18. Metallica

    Metallica Guest

    LOL. If I were a fisherman....
    I gambled on one port that I missed from last night. :D
     

    Attached Files:

    • Bait.jpg
      Bait.jpg
      File size:
      44.9 KB
      Views:
      692
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Internet spam / promotion? If you blocked your messenger they use the portscanner, trusting you'll resolve them, visit the site and thus attract potential customers?
     
  20. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    cannot believe it's a way to ATTRACT people
     
  21. Metallica

    Metallica Guest

    Anyways. Thank you all for helping me figure this one out. :cool:
    If I get any interesting replies, I will keep you posted.
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Metallica, you have the abuse info so if it is a scam you can use that - If it is a compromised system the webmaster can kick a but or two or maybe even his own to get it patched. :D
     
Thread Status:
Not open for further replies.