Results 1 to 6 of 6

Thread: help needed with whois programs

  1. #1
    Junior Member
    Join Date
    Dec 2002

    help needed with whois programs

    hello all

    firstly ill start by telling you everything as ive posted other posts and ao members needed more info from me to help me so if your wondering whys he telling all this unneccessary stuff....thats why..

    my problem is
    i have a p4 running winxp
    zonealarm for a firewall

    i keep getting so called port scan alerts from my firewall from varous ip address's and trying various ports.....so i thought ill find out who is port scanning me and report them to there isp's...but when i do a "who is" i get some from outamolgolia and some from my own isp....my point being how do i know a malicious spotty teenager from the so called legitimate internet traffic.....any help would be gratefully accepted



    sorry i forgot to add

    Final results obtained from whois.ripe.net.
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-serv...copyright.html

    inetnum: -
    netname: TIN
    descr: Telecom Italia S.p.A.
    descr: E@sy.ip service in OSPF Area 12
    descr: Wholesale service for ISP
    country: IT
    admin-c: BS104-RIPE
    tech-c: BS104-RIPE
    status: ASSIGNED PA
    remarks: Please send abuse notification to abuse@telecomitalia.it
    notify: net_ti@telecomitalia.it
    mnt-by: TIWS-MNT
    changed: claudio.ciotola@telecomitalia.it 20001120
    changed: net_ti@telecomitalia.it 20011019
    source: RIPE

    origin: AS3269
    mnt-by: INTERB-MNT
    changed: cgiadmin@cgi.interbusiness.it 20000118
    source: RIPE

    address: Via Val Cannuta, 250
    address: I-00100 Roma
    address: Italy
    phone: +39 06 36881
    e-mail: ripe-staff@telecomitalia.it
    nic-hdl: BS104-RIPE
    notify: ripe-staff@telecomitalia.it
    changed: net_ti@telecomitalia.it 20001019
    source: RIPE

    thats the bumf i get from the who is i am assuning its come from italy??
    can anyone help me in understanding the above

    thanks again waterboy

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Well, ZoneAlarm is pretty bad about reporting/blocking things it shouldn't (like return traffic if you have a very high latency connection, or leave stuff open/connected a long time). There are a few questions you should ask yourself:

    1) Was I connected to the supposed attacker at any time for any reason (hard to say, but for example, pop up web adds, you might not realize you went to that site). Look at the source port of the attacker, look at the destination. If on your side (destination port), it is a very high numbered/random port, but on the source side, it is very low (less than 1024, a perfect example being 80), chances are high that it is in all liklihood, legitimate traffic (a response to something you requested). FTP is notorious for looking like an attack when it is really the server just opening up a data channel to send the file back to your client.

    2) What port was accessed? 137? 80, 25, 23, ? 31337 ? Is it a known port for a web server or some trojan ? It could be someone just doing a scan, or it could be more, hard to tell if you don't have an IDS.

    3) Get something like agnitum outpost that has a built in IDS function that would help you figure this out a little bit better (and IMHO give you more control and information than zonealarm (and hence it is a little harder to setup). There are other firewalls out there that give you the same thing (The one that PGP had was one) and there are probably other programs out there that have IDS functionaility (although not sure how well that would interact with your firewall).

    Biggest thing is focus on the port (source and destination) ...

    Hope that helps,

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Firstly, you cannot determine whether you are looking at a "malicious spotty teenager" from a whois any more than you can tell a male from a female by looking only at the zit on their cheek....<s>

    A whois is useful for determining the ISP and contact information when you have decided that there is something awry with a certain machine or user. It does not tell you that the owner of the machine at is Bill Smith at 123 high street, bigtown, USA, it tells you that the address block that encompasses the IP address in question is owned by XXX company in YYY town USA. Remember also that just because an address block is owned by a company in say Germany, it does not mean that the actual IP address itself is in Germany. It may still be in the USA. That's where you would use a tracert to determine the exact route to the target and, if need be, do a whois against every hop to see where your target most likely is geographically.

    The only really useful line for you in that whole mess was the one telling you where to send your abuse complaints to. Remember also that the act of portscanning may not be illegal in Italy, (it is in some countries I believe), so complaining about scans will get you no response. If however you can document, (with logs from your firewall), more nefarious activities by a machine within their netblock you can have the offending IP owner kicked by the ISP by sending that proof to the abuse address.

    For the more advanced amongst you - yes, I know that a whois can provide other interesting tidbits to crackers - especially info that might be able to be used for social engineering..... I just didn't want to confuse the issue......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Junior Member
    Join Date
    Dec 2002
    cheers chaps

    i ve just uninstalled zonealarm and installed agnitum outpost seems alot better but a little harder to configure still ill get there in the end......

    to all other newbies wondering about firewalls zonealarm is idiot proof which is why i liked it but this agnitum firewall is alot better but a little harder to configure so i recommend starting with zonealarm for a few weeks then when you get used to what it does and how to allow/stop interney activity go on to agnitum...cos i also found zonealarm seemed to slow my internet ..as im only on 56k its slow enough

    thanks again chaps for you help in this matter

    a man with hole in his pocket feels cocky all day

  5. #5
    Senior Member
    Join Date
    Jan 2002
    I recommend you read my tutorial on how to identify traffic which isn't an attack.

    Here http://www.antionline.com/showthread...hreadid=236583

  6. #6
    Senior Member
    Join Date
    Jan 2002

    i ve just uninstalled zonealarm and installed agnitum outpost seems alot better but a little harder to configure still ill get there in the end......
    to all other newbies wondering about firewalls zonealarm is idiot proof which is why i liked it but this agnitum firewall is alot better ...... etc. waterboy

    waterboy: Zonealarm is not idiot, but it's hard for newbies to recognize normal traffic from attackes, and u can always check ur blocked traffic in zonealarm.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts