PORT SCAN ATTACK & McAfee Visual Trace Crashed
Results 1 to 9 of 9

Thread: PORT SCAN ATTACK & McAfee Visual Trace Crashed

  1. #1

    PORT SCAN ATTACK & McAfee Visual Trace Crashed

    Every day when I am online my McAfee firewall will warn me that there is a Port Scan Attack. The first few times this happened, my McAfee Visual Trace will crash when I clicked trace hacker.

    Later, I managed to use the Visual Trace to trace the hacker. And my McAfee Visual Trace gives me the same results. That means I have been targeted by a hacker because the IP address is the same.

    Registrant:
    Name: Unknown
    IP Address: 209.133.105.22
    Location: Oakland (37.889N, 122.294W)
    Network: Unknown

    Registrant contact information is not available.

    Network:

    Abovenet Communications, Inc NETBLK-ABOVENET-3 (NET-209-133-0-0-1)
    209.133.0.0 - 209.133.127.255
    BAYCIS MFN-B698-209-133-105-0-24 (NET-209-133-105-0-1)
    209.133.105.0 - 209.133.105.255

    ARIN WHOIS database, last updated 2003-10-25 19:15
    Enter ? for additional hints on searching


    Here is my questions:

    1) What should I do with the information given above?
    2) Every time I received this warning, I disconnect my internet connection. Is this the right thing to do?
    3) What shall I do to stop this hacker?
    4) Is there a program used by hacker out there that caused my McAfee Visual Trace to crash when I try to trace him/her/it?
    5) How to know that I have not been hacked?
    6) A scan test done at Sygate shows that some of my ports which were previously hidden are open.




    Thanks for your help.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Firstly, let's clear up a couple of things.....

    1. A portscan is not an attack. There are numerous reasons for portscans but in the field of hacking/cracking a portscan is part of the initial phase or reconnaisance of the entire process.

    2. You do not necessarily have the IP address of the "attacker". If this "attacker" has any sense whatsoever he is using other machines to "proxy" off. What you would most likely have is the last machine in a line of "proxies" he is using to carry out his activities.

    So, to your questions:-

    1. Forget it.... It isn't illegal to portscan.
    2. If you haven't messed with your firewall configuration then it will block all incoming.... so ignore them and carry on with what you are doing.
    3. Keep your firewall in place
    4. No, there wasn't a proper reply from the database so your program was probably just "hanging" while it searched all the other registries.
    5. One could write a whole book on that subject alone. Suffice it to say that if you firewalled an unhacked machine and you haven't messed with the configuration then the chances are very high that you are not hacked.
    6. Then you have been messing with the firewall or turned it off. Which ports?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Quick interjection here regarding:

    6) A scan test done at Sygate shows that some of my ports which were previously hidden are open.
    While Tigershark maybe correct, it also could be that you've installed some OTHER piece of software since your last scan that is opening this port for listening from your machine...

    Which resulsts in the same question though, what port #s ???

    RRP

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    You really shouldn't be alarmed (for the moment), the only time i got angry at portscans was when i noticed an IP that pscanned me at least 8 time a day (for 1month and 1/2)...

    Download a proggie to see what is running on your box and try to see if u find any thing unusual. You can find a good .exe here.
    Try to figure out if the portscan isn't being done by a website u often visit, by ur irc server (if u use it) - some of them scan the users for miscunfigured proxys and etc...

    If you really want to do something about it, email the abuse handler at the ISP were u tracked the attack with the logs of ur firewall and see if they can at least flame the user (he isn't doing anything illegal but it is anoying ) and see if it's him doing the scans or if he is indeed being used has a zombie to fin more exploitable machines.

  5. #5
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    if it gets to be a pain in ur ass then just set a rule in ur firewall (never used mcafee firewall) and drop the packets and deny data from them. Thats if u know for sure that its only coming through that one IP...but if like Tiger Shark said and they're just goin through a proxy then they will just re-route it and/or find a different proxy and get to u again with a diff. IP. I'll say what the others have already said i dont think u have to worry about anything just block that IP and make sure u have no trojans on ur machine.

  6. #6
    Banned
    Join Date
    Jun 2003
    Posts
    1,536
    With your visual tracer crashing. I would not worry about that, just copy and past the ip in a whois serch of the antionline IP tracer. I personially think that it might be a probles with in that s/w as we are running the same thing. and it has a tendency to work when it feels like it.

    if u feel the need you can report that information that you found.
    Or you could just do what i have done. creates both a spread sheet and a data base, I keep ALL records that have been allerted by eather the fire wall or the intrusion atemption. listing the date the IP the location/other information eg if it was a trogen than what kind... and the country.




    Nightfalls_Girl

  7. #7
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Originally posted here by Nightfalls_Girl
    With your visual tracer crashing. I would not worry about that, just copy and past the ip in a whois serch of the antionline IP tracer.
    This has nothing to really do with the thread at hand but anyways the AO tracer really sucks ass. This is no joke... one time it said that I was in Alaska but im in like the complete opposite end of the country. Another time it said I was in California, another time it said I was in Florida. LMAO

    http://www.samspade.org/t/ would be better.

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    here you go:

    queried with geektools
    Registrant:
    Rotten, Tomatoes (ROTTENTOMATOES-DOM)
    Rotten Tomatoes Hostmaster
    IncFusion Corporation dba Rotten Tomatoes
    2200 Powell Street Suite 1085
    Emeryville, CA 94608
    US
    Domain Name: ROTTENTOMATOES.COM
    Administrative Contact:
    IncFusion Corporation dba Rotten Tomatoes (RT1435-ORG) hostmaster@ROTTENTOMATOES.COM
    2200 Powell Street Suite 1085
    Emeryville, CA 94608
    US
    (510) 595-2940 fax: (510) 595-2946
    Technical Contact:
    Wang, Stephen (SW2914) stephen.wang@ROTTENTOMATOES.COM
    IncFusion Corporation
    2200 POWELL ST STE 1085
    EMERYVILLE, CA 94608-1877
    US
    (510) 595-2940 fax: (510) 595-2946
    Record expires on 14-May-2008.
    Record created on 14-May-1999.
    Database last updated on 5-Nov-2003 11:22:31 EST.
    Domain servers in listed order:
    NS1.ROTTENTOMATOES.COM 209.133.105.22
    NS1.BAYCIS.COM 209.133.107.69
    NS2.ROTTENTOMATOES.COM 209.133.104.201
    let me take a look....
    yepp...seems to be a domain name server using mysql on linux.
    maybe its the one wich is listed as dns used by your host?

  9. #9
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    Wang, Stephen (SW2914) stephen.wang@ROTTENTOMATOES.COM
    haha the guys name is Wang....stephen wang.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •