My firewall is telling me somebody is scanning the ports on my computer. However, when I try and backtrace the IP from where it is comming from it is unable to find where it is comming from. I hae been in contact with Energis who is the currier for my ISP and even they are not able to locate who it is.

If anyone here knows if there is a way of tracing this scan or who is doing it I would be very much appreciated as this has been happening for the past few days and is getting annoying as sometimes it causes my connection or computer to crash!!

I do have the IP in question so can give details should it be required.

Thanks

P I Lewis - Darkwolfnw

Try going to the command prompt and pinging the IP to see if its alive.

You can Download a freebie set of IP Tools from my website called IP Check. You should be able to resolve the IP with this.

Mark_Boyle2002.

http://itdepartment.0catch.com

Hey Darkwolfnw,
shit happens!
I'm not sure ISPs could help u on this one since scan is not illegal & that hundreds of thousand are scanned.

Anyway, there almost no solution to IP backtracking except if its performed by a dummy from its own computer (u can try a IP location here (http://www.antionline.com/tools-and-toys/ip-locate/) ).

For instance there is the decoy mode where a flood of scan probe are generated with different IPsrc but only one is valid. In that case it could be very painful and maybe impossible to know excatly which one is the valid.

If the guy assaulting u send probe with a unique IPsrc, the best you can do is to config ur firewall with a eggress filter on its IP.

I'm just surprise that ur PC connection is crashing, maybe r u facing a DoS attack. I'll advise u to take some trace next time & to publish it within that thread (don't forget to hide your own IP)

hope it help & good luck!

darkwolfnw pm me with:
Thanks for that.. when I used the tool it is telling me it is originating in Australia.. and have had another reply with a tool to try which gave me a webiste address: http://www.proxyprotector.com
however typing this in brings up the message "The Page cannot be displayed" yet when i type in the IP address it gives me a page with information on it.

I googled for proxyprotector & I found a thread at insecure.org about them:
http://lists.insecure.org/lists/incidents/2003/May/0109.html ;)

I don't know how much credit we can give to the thread but it's not bad news. They say that proxyprotector is a whitehat for internet scanning only :confused: .

Anyway if as the name looks like that IPsrc is a proxy you won't be able to backtrack the real source, even more if the src is a blackhat.

Once more the best u can do is config ur firewall to drop any packet from that source. But that will not prevent u from losing ur internet connection :( . The connection itself is the bottleneck!
I don't really believe ur ISP will config their ACL for u, but u can still give a try especially if u have a contact in Energis!

Thanks for that Networker!! :) very interesting that!! It seems strange that when typing the IP u get a site but using the address you get no-where!!

thanks for the link there as that is also very interesting!!!

Nice to know its not only me these strangers are trying to port scan. My firewall does try and block them but think need to go and tweak the settings a little better ;)

But thanks again for your help..

Now can see how this thread goes.. as think it may interest some people.

darkwolfnw,
is the IPsrc = 64.201.104.2 ?

Your email for Abuse@race.com has been received. Please allow us 72 hours for an emailed response.

** PLEASE NOTE

If you are emailing about 64.201.104.2 this customer has been terminated.

Thank you,

Abuse Department
RACE Technologies, Inc.
abuse@race.com


This is an automated responce e-mail I have just received from race.com

Yes the IP address was indeed 64.201.104.2 but what I dont get is that if they are terminated how can they still do scans and why is it still tracing through race???? interesting!!!!

ah, ah, ah!
Abuse@race.com had been abused!

Well he could be going through a wingate , which makes it impossible to find out where they are at times.

You have to remember a few things when it comes to tracing IP addresses.

1) You will never be able to track down the person unless a log file exists on each server that was used to scan your network. Picture a long chain and you are back tracking link-by-link to see where the chain originates. If you come across a section of chain that has been removed, it is impossible to continue along the chain.

2) If you are lucky enough to trace back an IP to an ISP, there is no guarantee that the ISP will assist you in pinpointing the individual (see AOL as a classic example).

3) Again, even if you trace a connection back to a specific host at a specific ISP, the machine being used may have been comprimised as well, thus, rendering your attempt to identify the individual void. Worse yet, many attacks come from school computer labs or public libraries. If this is the case then your are really out of luck.

A *great* deal of forensic work is needed to make a positive identification of an attacker. On top of that, conditions must be ideal in order to lock your sights in on the true attacking host. On many occasions, the *only* way that I was able to make a positive ID was to nail the attacker while a live attack was taking place. Again, conditions had to be ideal.

In my opinion, the best thing you can do is have a solid security model in place. You will never be able to stop port scans on the perimeter of your network but if your security model is tight, then this becomes a non issue. Think of it like this. Many people have access to a bank lobby but only select individuals have access to the vault (which would be your data). Who cares if people are able to find out your banking hours or even enter the bank lobby. The bottom line is that the cash is safe in the vault. Make sense?

BTW, SamSpade is a nice tool for tracing IP addresses.
www.samspade.org
Hope this helps!

He maybe use proxy

if you have a firewall, what are you worried about? people get port scanned all the time, its not illegal, and it shouldnt be, its like door to door salesmen =p, just you dont know their motives, have to keep some freedom on the internet tho

cyshaoping..

with reference to your post are you meaning I am using a proxy or the people responsible for the port scanning?? can you clarify this for me please?

sectac,

if you've read some of my previous messages here you can see that when the port scans are being done it is causing my connection and at times even my system to crash. At the mo this is extreamly annyoing as am in the middle of extreamly important work and as such rely on my connection being active. if the connection breaks it has caused several losses of files during transfer and is annoying.. personaly I think no-one has the right to see what you got on your computer or what ur doing!! there is such a thing as private space