Listen to certain IP

Question: can I have TDS-3 or PE listen for traffic from a certain IP address. I´m being probed by someone and when I try to resolve his IP in PE I get for.information.see.proxyprotector.com
I´d love to inform his provider, but don´t know where to turn.

PS The ports being scanned are always different.

 

Hi Metallica,
I don't know what you exactly want, but if it is to get as much information you can get, the easiest way is the logfile from your firewall.
Just put his IP in your blocked-list and everything will be logged.
Dolf

 

Hi Metallica,
welcome!
Think you might like the TDS Traffic Bridge for that if you don't like to use the TCP connect or connect via SOCKS
I see for instance in the PE GUI for the log analyser the last resolved IP, and i see the firewall itself, which i can put under spy for all in/out going packets, so i have now an IP connected to that process PID so i can spy on that and see what is sent in PE, as long as the process is there, but the parent is that loganalyser, and the packets received there, which can be from different IPs in the meantime.
So if you want to keep to the IP alone you might prefer to use the TDS functions i mentioned, but also there you get only packets to spy on as long as you're connected.
You might like to combine it with the TCP Port listen on the port that IP is currently connecte dto and you can for the outbound traffic change some data of course if you like.
In the meantime an TDS interrogate scan to see which ports you can connect to for instance with the broadcast or using one of the emulators.
If he for instance tries to connect to your 27374 chance you can connect there on his too.
Hope you get the info you want!

 

Hi Metallica!

Well, for me it seems that this address is probing you via a proxy. That means you will have little chance to find out his real IP-address (or his provider). I suggest that you open a port in TDS, he is trying to connect or pinging all the time. Then you can scare him to death...

Otherwise it will be difficult to listen for traffic from a certain IP address. There's also another possibility, attack him as well (port scan) -like the Russians said: Attacking is the best defense... But it's not quite legal, so I won't explain you how to do that.

Best regards!

Patrice

 

If a portscanner finds a backtrace with you resolving them or pinging they know you are aware and many will just leave. If not, a very nice UDP broadcast "would you like fries and coke with that ma'am?" might help better than angry responses, and with the emulators, ahh you can play so nice................. but keep it nice in the first place!

 

Metallica, As long as this probe is not affecting your internet performance & your firewall is doing the job, forget it.
By returning to attack you will let him know that you are there for sure.
I get hundreds of port probes a day from many sources usually compromised servers , my firewalls stop the probes so no worries. If you had a proper address you could send your log to abuse@whatever's ISP

HTH Pilli

 

Not so fast. Imagine complete firewall illiterate willing to learn (that would be me). I figured he might be using a proxy and I don´t want him to get even more interested by struggling.
When I noticed him yesterday I did as Pilli suggested (lots of sweeps come by like that), but two days in a row makes me curious and a little nervous.
Please explain how to find out more or tell him I am aware of his interest and if this still will work on someone who is using a proxy.

 

Hi Metallica!

Do you know which port he is probing? Check your firewall log for this. If you know the port, you can open it via TDS-3 -> Network -> TCP Port Listen. If you are completely unfamiliar with all that, just come back and let us know the port(s) he is probing, so that we can instruct you further.

Regards!

Patrice

 

well, I had a quick look at this proxyprotector.com, and it seems not likely that this is an open proxy. Do you have his IP address or does it change a lot?

 

The ports being scanned vary, but I do have an IP.
Can I post that here, without getting in trouble?
If not: feel free to remove it. 64.201.104.2

 

Hi Dollefie!

Couldn't it be that the proxy he's using is one you can misuse? That would explain why this site is shown. To be able to state the abuse of it.

Regards,

Patrice

 

Hi,
64.201.104.2 resolves to http://www.race.com/lipman/
or Lipman Middle School.
any bells ??
Dolf

 

Actually I don't like that. There are five ports open and you can even connect to them... Is it a compromised system, used by someone with bad intentions? The system is based on a Apache Server (Unix).

Anyone has other interesting informations or good suggestions?

Regards,

Patrice

 

Whoisses to

OrgName: Race Technologies
OrgID: RACE
Address: 101 Haskins Way
City: South San Francisco
StateProv: CA
PostalCode: 94080
Country: US

NetRange: 64.201.96.0 - 64.201.111.255
CIDR: 64.201.96.0/20
NetName: RACETECH
NetHandle: NET-64-201-96-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.RACE.COM
NameServer: NS2.RACE.COM
Comment:
RegDate: 2002-10-10
Updated: 2002-10-10

OrgTechHandle: TECH3-ARIN
OrgTechName: Tech
OrgTechPhone: +1-650-246-8900
OrgTechEmail: webmaster@race.com

OrgNOCHandle: IPADM26-ARIN
OrgNOCName: IP Admin
OrgNOCPhone: +1-650-246-8900
OrgNOCEmail: ipadmin@race.com

OrgAbuseHandle: ABUSE65-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-246-8900
OrgAbuseEmail: abuse@race.com

# ARIN WHOIS database, last updated 2003-05-04 20:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
===================
So you do have an abuse@
That for.... seems indeed the DNS hostname if you trace it.

 

Are you pondering what I´m pondering? Some school´s server being used as a drone? Well, there is an addy at their site. I think it´s best to inform them someone (in- or outside) is using their server. Objections?

 

just be sure you include their IP adress so they know it's from them.
Dolf

 

No objections, that's a good idea! But let 'em know what they should do (using TDS-3 & do a full system scan). And let 'em know also how they can protect themselves in future!

Greetings!

Patrice

 

LOL. If I were a fisherman....
I gambled on one port that I missed from last night.

 

Internet spam / promotion? If you blocked your messenger they use the portscanner, trusting you'll resolve them, visit the site and thus attract potential customers?

 

cannot believe it's a way to ATTRACT people

 

Anyways. Thank you all for helping me figure this one out.
If I get any interesting replies, I will keep you posted.

 

OK Metallica, you have the abuse info so if it is a scam you can use that - If it is a compromised system the webmaster can kick a but or two or maybe even his own to get it patched.