PORT SCAN ATTACK & McAfee Visual Trace Crashed

[Shakira]

Every day when I am online my McAfee firewall will warn me that there is a Port Scan Attack. The first few times this happened, my McAfee Visual Trace will crash when I clicked trace hacker.

Later, I managed to use the Visual Trace to trace the hacker. And my McAfee Visual Trace gives me the same results. That means I have been targeted by a hacker because the IP address is the same.

Registrant:
Name: Unknown
IP Address: 209.133.105.22
Location: Oakland (37.889N, 122.294W)
Network: Unknown

Registrant contact information is not available.

Network:

Abovenet Communications, Inc NETBLK-ABOVENET-3 (NET-209-133-0-0-1)
209.133.0.0 - 209.133.127.255
BAYCIS MFN-B698-209-133-105-0-24 (NET-209-133-105-0-1)
209.133.105.0 - 209.133.105.255

ARIN WHOIS database, last updated 2003-10-25 19:15
Enter ? for additional hints on searching


Here is my questions:

1) What should I do with the information given above?
2) Every time I received this warning, I disconnect my internet connection. Is this the right thing to do?
3) What shall I do to stop this hacker?
4) Is there a program used by hacker out there that caused my McAfee Visual Trace to crash when I try to trace him/her/it?
5) How to know that I have not been hacked?
6) A scan test done at Sygate shows that some of my ports which were previously hidden are open.




Thanks for your help.

[Tiger Shark]

Firstly, let's clear up a couple of things.....

1. A portscan is not an attack. There are numerous reasons for portscans but in the field of hacking/cracking a portscan is part of the initial phase or reconnaisance of the entire process.

2. You do not necessarily have the IP address of the "attacker". If this "attacker" has any sense whatsoever he is using other machines to "proxy" off. What you would most likely have is the last machine in a line of "proxies" he is using to carry out his activities.

So, to your questions:-

1. Forget it.... It isn't illegal to portscan.
2. If you haven't messed with your firewall configuration then it will block all incoming.... so ignore them and carry on with what you are doing.
3. Keep your firewall in place
4. No, there wasn't a proper reply from the database so your program was probably just "hanging" while it searched all the other registries.
5. One could write a whole book on that subject alone. Suffice it to say that if you firewalled an unhacked machine and you haven't messed with the configuration then the chances are very high that you are not hacked.
6. Then you have been messing with the firewall or turned it off. Which ports?

[bpiedlow]

Quick interjection here regarding:

6) A scan test done at Sygate shows that some of my ports which were previously hidden are open.

While Tigershark maybe correct, it also could be that you've installed some OTHER piece of software since your last scan that is opening this port for listening from your machine...

Which resulsts in the same question though, what port #s ???

RRP

[Sm0kinP0t]

You really shouldn't be alarmed (for the moment), the only time i got angry at portscans was when i noticed an IP that pscanned me at least 8 time a day (for 1month and 1/2)...

Download a proggie to see what is running on your box and try to see if u find any thing unusual. You can find a good .exe here.
Try to figure out if the portscan isn't being done by a website u often visit, by ur irc server (if u use it) - some of them scan the users for miscunfigured proxys and etc...

If you really want to do something about it, email the abuse handler at the ISP were u tracked the attack with the logs of ur firewall and see if they can at least flame the user (he isn't doing anything illegal but it is anoying ) and see if it's him doing the scans or if he is indeed being used has a zombie to fin more exploitable machines.

[deftones12]

if it gets to be a pain in ur ass then just set a rule in ur firewall (never used mcafee firewall) and drop the packets and deny data from them. Thats if u know for sure that its only coming through that one IP...but if like Tiger Shark said and they're just goin through a proxy then they will just re-route it and/or find a different proxy and get to u again with a diff. IP. I'll say what the others have already said i dont think u have to worry about anything just block that IP and make sure u have no trojans on ur machine.

[Nightfalls_Girl]

With your visual tracer crashing. I would not worry about that, just copy and past the ip in a whois serch of the antionline IP tracer. I personially think that it might be a probles with in that s/w as we are running the same thing. and it has a tendency to work when it feels like it.

if u feel the need you can report that information that you found.
Or you could just do what i have done. creates both a spread sheet and a data base, I keep ALL records that have been allerted by eather the fire wall or the intrusion atemption. listing the date the IP the location/other information eg if it was a trogen than what kind... and the country.




Nightfalls_Girl

[|The|Specialist]

Originally posted here by Nightfalls_Girl
With your visual tracer crashing. I would not worry about that, just copy and past the ip in a whois serch of the antionline IP tracer.

This has nothing to really do with the thread at hand but anyways the AO tracer really sucks ass. This is no joke... one time it said that I was in Alaska but im in like the complete opposite end of the country. Another time it said I was in California, another time it said I was in Florida. LMAO

http://www.samspade.org/t/ would be better.

[stanger]

here you go:

queried with geektools
Registrant:
Rotten, Tomatoes (ROTTENTOMATOES-DOM)
Rotten Tomatoes Hostmaster
IncFusion Corporation dba Rotten Tomatoes
2200 Powell Street Suite 1085
Emeryville, CA 94608
US
Domain Name: ROTTENTOMATOES.COM
Administrative Contact:
IncFusion Corporation dba Rotten Tomatoes (RT1435-ORG) hostmaster@ROTTENTOMATOES.COM
2200 Powell Street Suite 1085
Emeryville, CA 94608
US
(510) 595-2940 fax: (510) 595-2946
Technical Contact:
Wang, Stephen (SW2914) stephen.wang@ROTTENTOMATOES.COM
IncFusion Corporation
2200 POWELL ST STE 1085
EMERYVILLE, CA 94608-1877
US
(510) 595-2940 fax: (510) 595-2946
Record expires on 14-May-2008.
Record created on 14-May-1999.
Database last updated on 5-Nov-2003 11:22:31 EST.
Domain servers in listed order:
NS1.ROTTENTOMATOES.COM 209.133.105.22
NS1.BAYCIS.COM 209.133.107.69
NS2.ROTTENTOMATOES.COM 209.133.104.201

let me take a look....
yepp...seems to be a domain name server using mysql on linux.
maybe its the one wich is listed as dns used by your host?

[deftones12]

Wang, Stephen (SW2914) stephen.wang@ROTTENTOMATOES.COM

haha the guys name is Wang....stephen wang.