Port Scans

Discussion in 'Trojan Defence Suite' started by User Name, Nov 30, 2004.

Thread Status:
Not open for further replies.
  1. User Name

    User Name Guest

    Can someone advice me. I am a novice user of TDS3. Just started using it.(2 days). I am being harassed by someone that scan my ports. Up to 665 scans in 4 hours. The portscans always follows a reset of my dialup connection. When I reconnect the scans starts and will keep on till I disconnect. Sometimes i get disconnected again and when i reconnect, it starts again. My connections is set up never to hang up when idle. I use outpost firewall which detects these portscans. Its done on TCP (445) and 99% of the scans is from the same IP address range.

    I did a Trace Target Host and get this:

    22:13:53 [Trace] Tracing route to (tpr-ip-nas-ov-1-p241.telkom-ipnet.co.za)
    22:13:54 [Trace] 02: 218ms (wblv-ip-esr-1-atm-5-0-0-6.telkom-ipnet.co.za)
    22:13:55 [Trace] 03: 236ms (wblv-ip-er-1-fe-11-1-0-2.telkom-ipnet.co.za)
    22:13:56 [Trace] 04: 453ms (tpr-ip-er-1-ge-3-0-0.telkom-ipnet.co.za)
    22:13:57 [Trace] 05: 469ms (tpr-ip-nas-ov-1-fe-0.telkom-ipnet.co.za)
    22:14:10 [Trace] 6: ICMP error or host not responding
    22:14:22 [Trace] 07:11452ms (tpr-ip-nas-ov-1-p241.telkom-ipnet.co.za)
    22:14:22 [Trace] Trace complete!

    Ip addresses (trace 2) and (trace 3) figure in most of the tracings.

    What can i deduct from this. Is Trace 05 the culprit or is it trace 02 and 03.

    What is happening here and what can i do to stop this?
    I have reported this to my ISP and send them logfiles of the incidents. They replied that they will investigate and thats it. This has been going on for 2 months now.

    I am desperate and really p.....off!!!
  2. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    Hi User Name, First get all the latest security patches for your operating system,
    Get the latest TDS3 radius file from here:
    http://tds.diamondcs.com.au/index.php?page=update follow the instructions on the update page and disable your AV if it is running resident.
    Next restart your AV & update with the latest definitions athen run a full scan
    Get a free copy of AdAware from www.lavasoft.de and run a full scan as I think you have spyware on your machine.
    You could also try running Spybot search & destroy.

    Please report back your findings, as further instructions may be necessary.

  3. Andreas1

    Andreas1 Security Expert

    Jan 29, 2003
    Mainz (Ger)
    what your trace reveals is the route to the origin of the portscans (I suppose that's the IP you have in your "target" field in TDS when you do the trace). But then the first two IP adresses are those that are most near to you, i.e. your next upstream routers. They will be the same for lots and lots of connections. Interesting, tho, that it all seems to happen within one and the same ISP. It could very well be that one of their clients is running an automated port-scan of all the other ISP's clients. (Probably if so, then he's on dialup and will have a different IP each time - but from the same ISP ... and even with *his* upstream routers (i.e. the pre-last in your traces) the same every time.)

    You could resolve a few of the other IPs that have been scanning you and see if they are on the same ISP. Also, if they are, trace them and compare the pre-last routers.

    That should at least give us more to work with.

  4. A10Shun

    A10Shun Guest

    Thanks Pilli and Andreas1 will do this and see what happens and report back.
Thread Status:
Not open for further replies.