Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Ethical response to port scanners?

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    119

    Ethical response to port scanners?

    I haven't had a great deal of trouble from people port scanning me in the past, so it seems odd to me when I have got scanned 28 times in the past 3 days. Some of you will laugh because this seems normal, but it just seems odd that its been in the past few days.

    I'm running Windows XP Pro and using Sygate as my firewall, here is a snippet from the logs:

    03/14/2004 07:04:20 Port Scan Minor Incoming TCP 68.16.128.2 00-50-57-00-EF-5F xxx.xxx.xxx.xxx my mac addy thadbme PEREGRIN Normal 1 03/14/2004 07:04:20 03/14/2004 07:04:20

    These scans are coming in groups of three, and scanning for ports 2745, 1025, 3127, 6129 and 5000. What I mean by groups of three is the at three scans will appear within 10 seconds. So it appears that they are scanning for MyDoom, Beagle, and a few other ports.

    Most of the scans appear to be coming from my home ISP, which is cox, but the excerpt that I gave you is from bellsouth.

    Anyways, my question is whats the ethical thing to do here? Several of the scans came from the same address. I have reported that address to abuse@cox.net. But I got one of those auto reply messages. And I fear its one of those messages where they think I'm paranoid or something.

    I can't continue to mail the abuse address for all of the isp's as that would get out of hand quickly. And I realize that fighting back to some measure wouldn't be correct either. Any ideas? Also any idea why there would be a sudden increase in the past two days?

  2. #2
    I think your best action is to simply ignore it. ISP's generally won't respond because of the extra man power in monitoring that activity, and since your firewall is preventing access to the same ports being asked over and over again, there is little good those scans are accomplishing for anyone.

    Since the time intervals are so large, I don't forsee it even impacting your bandwidth. Be sure to block ICMP pings so that people can't even see that the IP is actually on the internet, which will lessen scans.

    Other than that, simply let it go. No need to worry and fret.

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    I'm going to follow pooh on this one. Whatever you do, don't try to reply or hack back. That's when they won't just go away.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    63
    I would advise (if you have not already) to check your ports and make sure they are properly filtered excluding any public services. Ethicaly about all you can do is double check your own security and just know that the character of the person behind this scan is looking for the easy way in, backdoors left by automated worms.
    $pak = me;

  5. #5
    To configure your ports and make sure there filtered.
    Simpley go to your admin tools/policy editor and filter your ports from within them options.
    If you think that those ports causing trouble then filter those ports asap.
    because they might not be your isp and someone else.
    Even though your firewall is blocking those ports your firewall can be brought down. Yes it is possible.
    Trust me I have broguth down a sygate firewall with a port scanning utility.
    So be advised and very careful that you configure everything accordingly.
    Good luck.
    \"If knowledge is power. Why doesn\'t everybody read?\"

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    I was just kind of curious at why there would be a rise in it all of a sudden. Its almost like I'm being targeted, because Its always scanning for the previously mentioned ports. I'm beginning to wonder if its really someone attacking me, or its a zombie computer that have been infected and is attacking. For all I know they could be scanning the entire subnet, which is some information I was hoping to get from cox, but I really doubt that is going to happen. I already knew the ignore it option. I really wanted to put this out there for the newbie security questions, and was hoping that someone else might be able to explain the why me, why now question, especially since the bugs that its trying to exploit have been out for awile now. And also hoping someone would know of a magic bullet that I could respond with other than the aforementioned. Thanks for the opinions.

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Have you considered reporting it to incidents.org? It might be an indication of an upcoming attack or new vulnerability.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    Interesting MsM. I think I'll report it to those folks when I get home. I doubt that its a new incident judging from some of the ports, (2745 = beagle, 3127 = MyDoom) however the rest it could be. I'll see what incidents has to say about it, maybe they can figure something out!

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    I'm going to have to agree with the general sentiment of the replies in that, it's not worth the effort to get your panties in a bunch (like I used to) over port scans/connection attempts. About the only time I hit the panic button is when I start seeing sh*t loads of connection attempts/scans to a certain port like the MS SQL worm and port 1434 (my logs recorded over 60 attempts in less than 20 minutes on my home PC).
    With things like IP spoofing, hijacked computers, proxies, and redirects, there really is no way in telling exactly what or who you're dealing with any absolute certainty (unless you're one lucky bastard). You also don't want to crucify the wrong person for attacking you when they might not even have any idea that their computer is compromised in the first place.
    Honestly, it irritated me to no end that my firewall logs were still getting clogged with ICMP traffic from infected computers long after the alert went out about the Welchia worm to the general public. In any event, what I'm saying is pay attention to your logs but don't go overboard.

    Perfect example - while I was typing this post my firewall logged 11 connection attempts to my DCOM port
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by thadbme
    I was just kind of curious at why there would be a rise in it all of a sudden. Its almost like I'm being targeted, because Its always scanning for the previously mentioned ports. I'm beginning to wonder if its really someone attacking me, or its a zombie computer that have been infected and is attacking. For all I know they could be scanning the entire subnet, which is some information I was hoping to get from cox, but I really doubt that is going to happen. I already knew the ignore it option. I really wanted to put this out there for the newbie security questions, and was hoping that someone else might be able to explain the why me, why now question, especially since the bugs that its trying to exploit have been out for awile now. And also hoping someone would know of a magic bullet that I could respond with other than the aforementioned. Thanks for the opinions.
    I am on Cox Cable High Speed Internet and get scanned all the time from the same subnet that I am on...(As well as others) Cox occasionally does port scans from their DNS servers as well. I think they are looking for people running webservers. (Which is against their terms of service for residential customers)
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •