Port Scanned?

Discussion in 'other firewalls' started by YODA, Aug 9, 2002.

Thread Status:
Not open for further replies.
  1. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    hey guys,

    I think i need to report an attack ......i got it all in my firewall logs, it contains one remote ip 216.184.40.245 , range of remote ports from about 2000-5000, one local port 6346. I don't know if i need to report it asap but, i got it all in my logs... also did a trace an attacker at symantecs about 5 min after last report attack and have screen shots of the results.

    heres a lil from my firewall log: (it is a lot longer than this about 15 times MORE)

    8/9/02 13:24:32 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3422)
    Process name is "N/A"

    8/9/02 13:24:29 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3422)
    Process name is "N/A"

    8/9/02 13:24:24 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3393)
    Process name is "N/A"

    8/9/02 13:24:18 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3393)
    Process name is "N/A"

    8/9/02 13:24:15 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3393)
    Process name is "N/A"

    8/9/02 13:24:09 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details:
    Inbound TCP connection
    Local address,service is (172.139.75.xxx,6346)
    Remote address,service is (216.184.40.245,3367)
    Process name is "N/A"

    continues......
    continues.........
    continues.............

    NEED ASSISTANCE......ASAP!!!

    YODA
     
  2. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    ;) Assistance provided!

    http://www.dshield.org/reports.html

    Results:
    http://www.geektools.com/cgi-bin/proxy.cgi
    Whois Address Search on 216.184.40.245 gave this result:
    Which is at:
    http://www.apex2000.net/dynamic/main.asp

    When you have a dynamic IP assigned by your ISP at each logon, you may be searched by whoever was sharing files with the last person with that address. If it's bothersome, logoff from your ISP and then back on to get a new IP. Hope this helps anyone else having similar problems. :)
     
  3. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    Thanx prince,

    Thought i was be attacked.. heh :D. Kind of odd for a person trying to contact me for 2 hours lol. Also got the same whois results :D . Nothing to worry about i guess....

    P.S. Prince u da man, u always come threw for me ;)

    YODA
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    checks those IP#'s

    nope! :D
    not me!
     
  5. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    heh hey snapdragin,

    u figure out what was causing ur problem...? when i read ur post that 5101 port look familiar.... yahoo uses that as a remote port... but ne ways.. close that port up if thats wut causing ur problems... ;)

    YODA
     
  6. controler

    controler Guest

    Hey guys :)

    These days it doesn't pay to report attacks since most of them are being carried out from behind some poor innocent persons computer
    (grandma, 13 year old kid ect) Most of the time it is because of a worm that was planted on their computer and in some cases IRC BOTs
    Most young people hang out in these IRC chat rooms and that's where most of the damage is done.
    People wanted to find problems with their configurations will go into these places and temp hackers to come into their honeypots - honeynets. Honeynets are much better in that the info gathered is shared over a wide network and not just one system.
    Doesn't it get boring somedays when we have all our protection up and enabled and get no hack attemps. Makes you wonder if something is wrong.
     
  7. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Port 6346 is typically associated with the p2p file sharing protocol Gnutella. The only reason you're getting probed is because the previous user of your current IP was hosting a Gnutella server. Gnutella clients tend to cache server IP addresses for a long time so now they think YOU have the content they want.

    The best response to this behavior is either ignore it, or better yet, force an IP address change until you get an IP that doesn't have a history associated with it.
     
  8. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    This is absolutely the case, however, it is also why it IS valuable to report it...so that the infected person can be notified. By my estimate 95% of all valid scanning activity is generated by an infected host.

    However, you definitely should NOT report issues without fully understanding how to differentiate between real issues and false positives (like the Gnutella probes in this thread).

    See also:
    http://www.mynetwatchman.com/vision.htm
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Lawrence,

    Seems like we have a static IP here. Sound advice as ever, btw.

    regards.

    paul
     
  10. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Do you obtain your IP via DHCP?

    If so it's likely *sticky* vs. static.

    Email me if you're interested in experimenting..I've been working on a procedure to force an IP address change even when sticky DHCP is at play.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Although I was referring to the original poster - as for my person: nope.

    Sounds interesting: might drop you an email anyway!

    regards.

    paul
     
  12. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    It has been my experience with my local cable company that just because they use dhcp doesn't mean I have to.

    Becaue I have routers that are always on (so no one can grab my ip while my machine is rebooting; i never turn it off), my ip won't change unless my account is switched to a different node. They sometimes split a node into two separate nodes when they get too full. There is a 50-50 chance I will be shuffled to the other one and loose my current IP. This happens twice a year or so. The reason I get the same ip the rest of the time is the ip is decided by the dhcp server based on a combination of the MAC address of my network card and from some info from my computer. That combination always gets the same ip, but if I change network cards I get a new IP. If i put my current netcard in a different computer I don't get the same IP as I did in the first computer. So one way to get new IPs is two swap network cards between my computers.

    Another way is to not use DHCP and specify my IP directly. If an IP is available on my node, I can specify it directly and I will get it. If it is in use or outside my node block I will not.

    This leads me to the third way to change your IP. If you have two computers like I do, I turn off the computer that has the IP I no longer want, and then specify that IP for my second computer directly. Then when I turn on the first computer, it can't get the IP it wants through dhcp, so the dhcp server will assign a different one. Then I switch the second computer back to dhcp and get the ip it used to have provided it wasn't assigned to anyone in the mean time. In my case I am actually changing the IPs of my routers but it is the same for computers.

    dunno how it might work with dial-up, back when I had dial-up, I had no idea of such things.
     
Thread Status:
Not open for further replies.