Increased number of port scans recently

Discussion in 'other firewalls' started by BP999, Dec 13, 2005.

Thread Status:
Not open for further replies.
  1. BP999

    BP999 Registered Member

    Joined:
    Dec 7, 2005
    Posts:
    7
    I'm running Sygate Pro 5.5 2710 on XP Pro SP2.

    For approximately the last 10 days, I've noticed an increase in the number of port scans. Anyone noticed a trend?

    Most of them are from ranges in China.
    Zombie machines? If so, why so many ranges from China?

    Here are some of the repeat offenders:

    Thailand:202.59.224.0-202.59.251.255
    Internap:64.74.0.0-64.74.255.255
    Germany:85.72.192.0-85.72.223.255
    China1:202.111.173.0-202.111.173.127
    China2:61.189.128.0-61.189.255.255
    China3:219.154.0.0-219.157.255.255
    China4:222.132.0.0-222.135.255.255
    China6:219.146.0.0-219.147.31.255
    China7:221.10.0.0-221.10.255.255
    China8:218.27.0.0-218.27.255.255
    Korea:220.72.0.0-220.87.255.255

    (The names(China1, China2, etc.) are ones I assigned to the ranges when I added them to PeerGuardian.)

    I have Sygate set to "automatically block attackers address for 999999 seconds." :p

    My most common ports hit were: 1026, 44776, 1027, 3, 1031, 2, 1033, 111, and 10000.

    For example, China Network Communications Group Corporation ( 222.132.0.0 - 222.135.255.255) has hit port 1026 42 times according to my logs.


    I found some pertinent information here: http://www.mynetwatchman.com/
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Why worry about it? Sygate will block any and all incoming by default, you don't even need to block them for xxx seconds. It's just most likely your typical internet noise and it won't hurt anything. Just let Sygate block it and forget about it..
     
  3. BP999

    BP999 Registered Member

    Joined:
    Dec 7, 2005
    Posts:
    7
    I'm not worried about it a bit. I've got XP hardened: no netbios, no dcom, no IE, no outlook, (thanks to a custom nLite install.)


    I have read that network chatter can be mistaken for port scans.


    I'm simply curious as to why there is a correlation(if indeed there is one between actual port scans and Chinese ranges.)


    The bottom line is I'd like to know. ;)
     
  4. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    I recently have logged some potentional malicous connections (from China also); unfortunatly I did'nt have any firewall so my machine responded to these ICMP connecitons, this is sat behind my router, with only 2 ports open for emule.

    My router since then is blocking a lot more traffic... all China based IP addresses (all DoS blocked).

    Peerguardian over the last month has logged an increase in blocked connections from China (I block everything possible !).
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    See the current block file list:

    http://isc.sans.org/top10.php

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.