help needed with whois programs

[waterboy]

hello all

firstly ill start by telling you everything as ive posted other posts and ao members needed more info from me to help me so if your wondering whys he telling all this unneccessary stuff....thats why..

my problem is
i have a p4 running winxp
zonealarm for a firewall

i keep getting so called port scan alerts from my firewall from varous ip address's and trying various ports.....so i thought ill find out who is port scanning me and report them to there isp's...but when i do a "who is" i get some from outamolgolia and some from my own isp....my point being how do i know a malicious spotty teenager from the so called legitimate internet traffic.....any help would be gratefully accepted


cheers

waterboy

sorry i forgot to add


Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: 213.45.124.0 - 213.45.125.255
netname: TIN
descr: Telecom Italia S.p.A.
descr: E@sy.ip service in OSPF Area 12
descr: Wholesale service for ISP
country: IT
admin-c: BS104-RIPE
tech-c: BS104-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to abuse@telecomitalia.it
notify: net_ti@telecomitalia.it
mnt-by: TIWS-MNT
changed: claudio.ciotola@telecomitalia.it 20001120
changed: net_ti@telecomitalia.it 20011019
source: RIPE

route: 213.45.0.0/16
descr: INTERBUSINESS
origin: AS3269
mnt-by: INTERB-MNT
changed: cgiadmin@cgi.interbusiness.it 20000118
source: RIPE

person: BBBEASYIP STAFF
address: Via Val Cannuta, 250
address: I-00100 Roma
address: Italy
phone: +39 06 36881
e-mail: ripe-staff@telecomitalia.it
nic-hdl: BS104-RIPE
notify: ripe-staff@telecomitalia.it
changed: net_ti@telecomitalia.it 20001019
source: RIPE


thats the bumf i get from the who is i am assuning its come from italy??
can anyone help me in understanding the above

thanks again waterboy

[nebulus200]

Well, ZoneAlarm is pretty bad about reporting/blocking things it shouldn't (like return traffic if you have a very high latency connection, or leave stuff open/connected a long time). There are a few questions you should ask yourself:

1) Was I connected to the supposed attacker at any time for any reason (hard to say, but for example, pop up web adds, you might not realize you went to that site). Look at the source port of the attacker, look at the destination. If on your side (destination port), it is a very high numbered/random port, but on the source side, it is very low (less than 1024, a perfect example being 80), chances are high that it is in all liklihood, legitimate traffic (a response to something you requested). FTP is notorious for looking like an attack when it is really the server just opening up a data channel to send the file back to your client.

2) What port was accessed? 137? 80, 25, 23, ? 31337 ? Is it a known port for a web server or some trojan ? It could be someone just doing a scan, or it could be more, hard to tell if you don't have an IDS.

3) Get something like agnitum outpost that has a built in IDS function that would help you figure this out a little bit better (and IMHO give you more control and information than zonealarm (and hence it is a little harder to setup). There are other firewalls out there that give you the same thing (The one that PGP had was one) and there are probably other programs out there that have IDS functionaility (although not sure how well that would interact with your firewall).

Biggest thing is focus on the port (source and destination) ...

Hope that helps,

/nebulus

[Tiger Shark]

Firstly, you cannot determine whether you are looking at a "malicious spotty teenager" from a whois any more than you can tell a male from a female by looking only at the zit on their cheek....<s>

A whois is useful for determining the ISP and contact information when you have decided that there is something awry with a certain machine or user. It does not tell you that the owner of the machine at 10.1.1.1 is Bill Smith at 123 high street, bigtown, USA, it tells you that the address block that encompasses the IP address in question is owned by XXX company in YYY town USA. Remember also that just because an address block is owned by a company in say Germany, it does not mean that the actual IP address itself is in Germany. It may still be in the USA. That's where you would use a tracert to determine the exact route to the target and, if need be, do a whois against every hop to see where your target most likely is geographically.

The only really useful line for you in that whole mess was the one telling you where to send your abuse complaints to. Remember also that the act of portscanning may not be illegal in Italy, (it is in some countries I believe), so complaining about scans will get you no response. If however you can document, (with logs from your firewall), more nefarious activities by a machine within their netblock you can have the offending IP owner kicked by the ISP by sending that proof to the abuse address.

For the more advanced amongst you - yes, I know that a whois can provide other interesting tidbits to crackers - especially info that might be able to be used for social engineering..... I just didn't want to confuse the issue......

[waterboy]

cheers chaps

i ve just uninstalled zonealarm and installed agnitum outpost seems alot better but a little harder to configure still ill get there in the end......

to all other newbies wondering about firewalls zonealarm is idiot proof which is why i liked it but this agnitum firewall is alot better but a little harder to configure so i recommend starting with zonealarm for a few weeks then when you get used to what it does and how to allow/stop interney activity go on to agnitum...cos i also found zonealarm seemed to slow my internet ..as im only on 56k its slow enough

thanks again chaps for you help in this matter

waterboy

[slarty]

I recommend you read my tutorial on how to identify traffic which isn't an attack.

Here http://www.antionline.com/showthread...hreadid=236583

[bimmer]

++++++++++++++++++++++++++++++++++
waterboy

i ve just uninstalled zonealarm and installed agnitum outpost seems alot better but a little harder to configure still ill get there in the end......
to all other newbies wondering about firewalls zonealarm is idiot proof which is why i liked it but this agnitum firewall is alot better ...... etc. waterboy
++++++++++++++++++++++++++++++++++++

waterboy: Zonealarm is not idiot, but it's hard for newbies to recognize normal traffic from attackes, and u can always check ur blocked traffic in zonealarm.

bimmer