Malicious port hits question(s)

Discussion in 'other firewalls' started by spy1, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I get hits on ports that are - more or less - totally associated with various types of evildoers looking for a way in.

    Such as:

    17-1-2005 - 13:51:9 -> 596-> From system::212.194.85.151:4381: On port : 12345 Connected
    17-1-2005 - 13:51:10 -> -> From system::212.194.85.151:4381: On port : 12345 Disconnected
    17-1-2005 - 13:51:10 -> 508-> From system::212.194.85.151:4385: On port : 27374 Connected
    17-1-2005 - 13:51:11 -> -> From system::212.194.85.151:4385: On port : 27374 Disconnected

    19-1-2005 - 8:13:5 -> 576-> From system::220.116.237.75:2472: On port : 12345 Connected
    19-1-2005 - 8:13:6 -> -> From system::220.116.237.75:2472: On port : 12345 Disconnected

    20-1-2005 - 10:12:59 -> 576-> From system::65.66.177.231:3684: On port : 12345 Connected
    20-1-2005 - 10:13:0 -> -> From system::65.66.177.231:3684: On port : 12345 Disconnected
    20-1-2005 - 10:13:0 -> 560-> From system::65.66.177.231:3688: On port : 27374 Connected
    20-1-2005 - 10:13:0 -> -> From system::65.66.177.231:3688: On port : 27374 Disconnected

    26-1-2005 - 18:4:47 -> 576-> From system::206.74.31.21:4884: On port : 31337 Connected
    26-1-2005 - 18:5:17 -> -> From system::206.74.31.21:4884: On port : 31337 Disconnected


    12-2-2005 - 18:28:15 -> 584-> From system::206.74.31.21:1868: On port : 31337 Connected
    12-2-2005 - 18:28:45 -> -> From system::206.74.31.21:1868: On port : 31337 Disconnected

    I'm not worried about these, I'm just curious about the last four numbers in each IP addy - what is that? Is it a unique identifier of the actual user of that particular ISP? Or what?

    And - given the fact that most of those hits are originating from my ISP - does that have any significance, other than that it could be someone from my own ISP doing it? Surely it's not my ISP itself probing me on those ports, right? Pete
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Pete....I believe the four numbers to be the port # the Source computer used to reach your Computer's Destination port.
    • From system::65.66.177.231:3688: On port : 27374 Connected

      --Source PC=65.66.177.231 sent packets on port 3688 to see if you had Sub-seven listening on port 27374

    • From system::65.66.177.231:3684: On port : 12345 Disconnected

      --Source PC=65.66.177.231 sent packets on port 3684 to see if you had Net-bus listening on port 12345
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Bubba.

    Is there anything either free or relatively in-expensive that could pinpoint exactly who's doing that? Something uniquely identifiable from their end? Pete
     
  4. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    blackIce Pc Protction has intruder detection that will identify and tell you who and what they are looking for it will also block the attacks.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Your Welcome Pete....but no....I do not have any personal experience today of any of the software packages that could possibly accomplish that. I gave up reading and worrying about the log contents many moons ago....because I simply started viewing those unsolicited messages as Internet background noise.

    However....I have heard a lot of folks talking\posting about ganging up and turning their logs into myNetWatchman.

     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Bubba - Yes, I'm already doing the MNW thing (I'll look at its' logs tomorrow).

    Beefcarver - I might just give that one a look - I like tools with an edge. Pete
     
  7. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i asked a question like yours, and i think the reason the scans are coming from your ISP is because they could be worms. when a worm gets on a system some are programmed to scan ports using the same beginning octets, either just the first or both the first and second. that way they are more likely to scan addresses that people use i suppose.

    here's a post on intrusion detection software.
    https://www.wilderssecurity.com/showpost.php?p=371463&postcount=3

    i haven't ever used intrusion detection software so i don't know how they work, but i found out alot about what was happening with my connection by running NetMeter which shows when you have network activity and using a packet sniffer to see what was happening when i did see traffic that i couldn't account for. i did that for a whole day and learned about what all the unacounnted for activity is. :)
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Words are for me easier to understand than expressions, and therefore i'm not sure to really understand Spy's wishes.

    I'll just give some free network utilities and i hope you may find one of them useful:

    ***Radmin utilities: http://www.radmin.com/utility/ (Framatech network utilities)

    ***ShowTraffic (monitor and can capture packets):

    http://demosten.com/showtraf/

    ***The famous Ethereal (Protocol Analyzer):

    http://www.ethereal.com/

    ***IPTicker (monitor in real time your IP connections):

    http://www.soft-trek.com.au/prjIPTicker.asp

    ***eStop (show TCP connections):

    http://www.nwpsw.com/estopmain.html

    Best Reagrds
     
  9. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Dude, just do some quick, easy (and free) reverse DNS lookups using a command window. There see, I just found your first IP there 206.74.31.21 is fmdt7-21.2wcm.comporium.net Sounds fishy to me. You can also go to www.smartwhois.com to do some Whois lookups on those IPs. It looks like SmartWhois may be down for the moment. You can have all your whois needs satisfied at www.iana.org.
     
  10. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
Loading...
Thread Status:
Not open for further replies.