Port Scans

Hi,
Can someone advice me. I am a novice user of TDS3. Just started using it.(2 days). I am being harassed by someone that scan my ports. Up to 665 scans in 4 hours. The portscans always follows a reset of my dialup connection. When I reconnect the scans starts and will keep on till I disconnect. Sometimes i get disconnected again and when i reconnect, it starts again. My connections is set up never to hang up when idle. I use outpost firewall which detects these portscans. Its done on TCP (445) and 99% of the scans is from the same IP address range.

I did a Trace Target Host and get this:

22:13:53 [Trace] Tracing route to 155.239.170.241 (tpr-ip-nas-ov-1-p241.telkom-ipnet.co.za)
22:13:54 [Trace] 02: 218ms 196.43.12.53 (wblv-ip-esr-1-atm-5-0-0-6.telkom-ipnet.co.za)
22:13:55 [Trace] 03: 236ms 196.43.10.142 (wblv-ip-er-1-fe-11-1-0-2.telkom-ipnet.co.za)
22:13:56 [Trace] 04: 453ms 196.43.11.206 (tpr-ip-er-1-ge-3-0-0.telkom-ipnet.co.za)
22:13:57 [Trace] 05: 469ms 196.43.14.249 (tpr-ip-nas-ov-1-fe-0.telkom-ipnet.co.za)
22:14:10 [Trace] 6: ICMP error or host not responding
22:14:22 [Trace] 07:11452ms 155.239.170.241 (tpr-ip-nas-ov-1-p241.telkom-ipnet.co.za)
22:14:22 [Trace] Trace complete!

Ip addresses 196.43.12.53 (trace 2) and 196.43.10.142 (trace 3) figure in most of the tracings.

What can i deduct from this. Is Trace 05 the culprit or is it trace 02 and 03.

What is happening here and what can i do to stop this?
I have reported this to my ISP and send them logfiles of the incidents. They replied that they will investigate and thats it. This has been going on for 2 months now.

I am desperate and really p.....off!!!
PLEASE HELP

 

Hi User Name, First get all the latest security patches for your operating system,
Get the latest TDS3 radius file from here:
http://tds.diamondcs.com.au/index.php?page=update follow the instructions on the update page and disable your AV if it is running resident.
Next restart your AV & update with the latest definitions athen run a full scan
Get a free copy of AdAware from www.lavasoft.de and run a full scan as I think you have spyware on your machine.
You could also try running Spybot search & destroy.

Please report back your findings, as further instructions may be necessary.

Pilli

 

Hi,
what your trace reveals is the route to the origin of the portscans (I suppose that's the IP you have in your "target" field in TDS when you do the trace). But then the first two IP adresses are those that are most near to you, i.e. your next upstream routers. They will be the same for lots and lots of connections. Interesting, tho, that it all seems to happen within one and the same ISP. It could very well be that one of their clients is running an automated port-scan of all the other ISP's clients. (Probably if so, then he's on dialup and will have a different IP each time - but from the same ISP ... and even with *his* upstream routers (i.e. the pre-last in your traces) the same every time.)

You could resolve a few of the other IPs that have been scanning you and see if they are on the same ISP. Also, if they are, trace them and compare the pre-last routers.

That should at least give us more to work with.

Andreas

 

Thanks Pilli and Andreas1 will do this and see what happens and report back.