Malicious port hits question(s)

I get hits on ports that are - more or less - totally associated with various types of evildoers looking for a way in.

Such as:

17-1-2005 - 13:51:9 -> 596-> From system::212.194.85.151:4381: On port : 12345 Connected
17-1-2005 - 13:51:10 -> -> From system::212.194.85.151:4381: On port : 12345 Disconnected
17-1-2005 - 13:51:10 -> 508-> From system::212.194.85.151:4385: On port : 27374 Connected
17-1-2005 - 13:51:11 -> -> From system::212.194.85.151:4385: On port : 27374 Disconnected

19-1-2005 - 8:13:5 -> 576-> From system::220.116.237.75:2472: On port : 12345 Connected
19-1-2005 - 8:13:6 -> -> From system::220.116.237.75:2472: On port : 12345 Disconnected

20-1-2005 - 10:12:59 -> 576-> From system::65.66.177.231:3684: On port : 12345 Connected
20-1-2005 - 10:13:0 -> -> From system::65.66.177.231:3684: On port : 12345 Disconnected
20-1-2005 - 10:13:0 -> 560-> From system::65.66.177.231:3688: On port : 27374 Connected
20-1-2005 - 10:13:0 -> -> From system::65.66.177.231:3688: On port : 27374 Disconnected

26-1-2005 - 18:4:47 -> 576-> From system::206.74.31.21:4884: On port : 31337 Connected
26-1-2005 - 18:5:17 -> -> From system::206.74.31.21:4884: On port : 31337 Disconnected


12-2-2005 - 18:28:15 -> 584-> From system::206.74.31.21:1868: On port : 31337 Connected
12-2-2005 - 18:28:45 -> -> From system::206.74.31.21:1868: On port : 31337 Disconnected

I'm not worried about these, I'm just curious about the last four numbers in each IP addy - what is that? Is it a unique identifier of the actual user of that particular ISP? Or what?

And - given the fact that most of those hits are originating from my ISP - does that have any significance, other than that it could be someone from my own ISP doing it? Surely it's not my ISP itself probing me on those ports, right? Pete

 

Pete....I believe the four numbers to be the port # the Source computer used to reach your Computer's Destination port.

• From system::65.66.177.231:3688: On port : 27374 Connected
  
  --Source PC=65.66.177.231 sent packets on port 3688 to see if you had Sub-seven listening on port 27374
  
  
• From system::65.66.177.231:3684: On port : 12345 Disconnected
  
  --Source PC=65.66.177.231 sent packets on port 3684 to see if you had Net-bus listening on port 12345

 

Thanks, Bubba.

Is there anything either free or relatively in-expensive that could pinpoint exactly who's doing that? Something uniquely identifiable from their end? Pete

 

blackIce Pc Protction has intruder detection that will identify and tell you who and what they are looking for it will also block the attacks.

 

Your Welcome Pete....but no....I do not have any personal experience today of any of the software packages that could possibly accomplish that. I gave up reading and worrying about the log contents many moons ago....because I simply started viewing those unsolicited messages as Internet background noise.

However....I have heard a lot of folks talking\posting about ganging up and turning their logs into myNetWatchman.

 

Bubba - Yes, I'm already doing the MNW thing (I'll look at its' logs tomorrow).

Beefcarver - I might just give that one a look - I like tools with an edge. Pete

 

i asked a question like yours, and i think the reason the scans are coming from your ISP is because they could be worms. when a worm gets on a system some are programmed to scan ports using the same beginning octets, either just the first or both the first and second. that way they are more likely to scan addresses that people use i suppose.

here's a post on intrusion detection software.
https://www.wilderssecurity.com/showpost.php?p=371463&postcount=3

i haven't ever used intrusion detection software so i don't know how they work, but i found out alot about what was happening with my connection by running NetMeter which shows when you have network activity and using a packet sniffer to see what was happening when i did see traffic that i couldn't account for. i did that for a whole day and learned about what all the unacounnted for activity is.

 

Hi,

Words are for me easier to understand than expressions, and therefore i'm not sure to really understand Spy's wishes.

I'll just give some free network utilities and i hope you may find one of them useful:

***Radmin utilities: http://www.radmin.com/utility/ (Framatech network utilities)

***ShowTraffic (monitor and can capture packets):

http://demosten.com/showtraf/

***The famous Ethereal (Protocol Analyzer):

http://www.ethereal.com/

***IPTicker (monitor in real time your IP connections):

http://www.soft-trek.com.au/prjIPTicker.asp

***eStop (show TCP connections):

http://www.nwpsw.com/estopmain.html

Best Reagrds

 

Dude, just do some quick, easy (and free) reverse DNS lookups using a command window. There see, I just found your first IP there 206.74.31.21 is fmdt7-21.2wcm.comporium.net Sounds fishy to me. You can also go to www.smartwhois.com to do some Whois lookups on those IPs. It looks like SmartWhois may be down for the moment. You can have all your whois needs satisfied at www.iana.org.

 

Sorry try this one http://www.whois.sc/
This one supports IP Whois lookups.