This is kind of interesting...
Results 1 to 8 of 8

Thread: This is kind of interesting...

  1. #1
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066

    This is kind of interesting...

    Well, my friend gave me this link. I'm sure you've all heard of it, phazeddl.com... Well he wanted me to check something out, so I did. Well, I'm against that sort of thing, but needless to say, my friend is not. But that's besides the point...

    So I'm like, ok this is retarted and I exit the site, only to have like 3 port scans seconds later. I'm wasn't surprised ...


    Somebody is scanning your computer.
    Your computer's UDP ports:
    33458, 33459, 33460, and 33462 have been scanned from 170.224.176.49..
    Right off the bat, I know this is not a normal port scan because of the high port numbers they're scanning for, but big deal right? We get tons of these a day...

    Well... I decided to trace it...

    OrgName: Sequent Computer Systems, Incorporated
    OrgID: SCS-65
    Address: 1000 River Street
    City: Essex Junction
    StateProv: VT
    PostalCode: 05452
    Country: US

    NetRange: 170.224.0.0 - 170.227.255.255
    CIDR: 170.224.0.0/14
    NetName: SEQUENT-B
    NetHandle: NET-170-224-0-0-1
    Parent: NET-170-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.RALEIGH.USF.IBM.COM
    NameServer: NS2.RALEIGH.USF.IBM.COM
    Comment:
    RegDate: 1995-04-21
    Updated: 2001-04-06

    TechHandle: ZI22-ARIN
    TechName: IBM Corporation
    TechPhone: +1-999-999-9999
    TechEmail: noc@ibm.com

    # ARIN WHOIS database, last updated 2005-03-21 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database
    Alright, ISP I guess... But this is not what catches my eye... I do a whois on the hop above this and get:

    OrgName: BellSouth.net Inc.
    OrgID: BELL
    Address: 575 Morosgo Drive
    City: Atlanta
    StateProv: GA
    PostalCode: 30324
    Country: US

    ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

    NetRange: 65.80.0.0 - 65.83.255.255
    CIDR: 65.80.0.0/14
    NetName: BELLSNET-BLK9
    NetHandle: NET-65-80-0-0-1
    Parent: NET-65-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.BELLSOUTH.NET
    NameServer: NS.ATL.BELLSOUTH.NET
    Comment:
    Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
    Comment: address, time/date, message header, and attack logs.
    Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
    Comment: the subject line. Law Enforcement Agencies ONLY, please.
    RegDate: 2000-11-28
    Updated: 2003-05-05

    AbuseHandle: ABUSE81-ARIN
    AbuseName: Abuse Group
    AbusePhone: +1-404-499-5224
    AbuseEmail: abuse@bellsouth.net

    TechHandle: JG726-ARIN
    TechName: Geurin, Joe
    TechPhone: +1-404-499-5240
    TechEmail: ipoperations@bellsouth.net

    OrgAbuseHandle: ABUSE81-ARIN
    OrgAbuseName: Abuse Group
    OrgAbusePhone: +1-404-499-5224
    OrgAbuseEmail: abuse@bellsouth.net

    OrgTechHandle: JG726-ARIN
    OrgTechName: Geurin, Joe
    OrgTechPhone: +1-404-499-5240
    OrgTechEmail: ipoperations@bellsouth.net

    # ARIN WHOIS database, last updated 2005-03-21 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    If you guys havn't noticed yet I'll point it out to ya...

    Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
    Comment: address, time/date, message header, and attack logs.
    Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
    Comment: the subject line. Law Enforcement Agencies ONLY, please.
    I'm guessing by this that somehow they are now watching me now? Or trying to anyway? I find this pretty interesting, and something I for one havn't noticed before on any other whois I have done before...

    Just thought It might turn into a discussion, it's been pretty dead around here latly ...
    I am the uber duck!!1
    Proxy Tools

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    I didn't go to the link but...

    sometimes you notice this kind of behaviour often, as the port scans weren't really evil port scans per se....
    It could simply be the website's valid packets still trying to communicate or complete communication, finding no one home (listening), then trying a few successive ports until ending the connection.
    OR
    It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??
    ZT3000
    Beta tester of "0"s and "1"s"

  3. #3
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    But why would they try to connect to such odd ports?

    It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??
    My thoughts exactly
    I am the uber duck!!1
    Proxy Tools

  4. #4
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    They are not odd ports if:

    You have a few programs (or more) running lots of open ports (doesn't have to be internet browser either), your operating system simply creates numerically higher port numbers (starting at 1026) to be open when requested/needed, example: tabbed browsing opens one port per tab, at least. (lame example I know, hey..it's late.)

    So your browser sends out a http: request from port 33,458 to port 80 on the webserver which replies back to your port 33,458.

    OR

    If you have a particular program on ports 33,458-33,462, typically a "I'm spying on you" range.

    J/K

    (Edit: BTW, I scanned that IP you listed for quite some time, but no one scanned back on any port, ...shrugs...)
    ZT3000
    Beta tester of "0"s and "1"s"

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi,

    I don't think the BellSouth links are bad news.............the "abuse" one is common for ISPs, it is where you report an incident.

    The second link is for law enforcement agencies who have obtained a subpoena to request information............having agents physically moving around and talking to your staff is a waste of time for both parties?

    Cheers

  6. #6
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    Well, as of now, the site is down...

    Aaaaah, I see nihil, I just have never noticed "subpoena" request info in a whois before.

    zt3000, you are assuming a lot of things. Like the fact that I have programs listening on those ports, which I don't. And if my browser was sending SYN packets and the site was only replying to those SYN packets, my firewall wouldn't have picked it up as a port scan...

    I scanned that IP you listed for quite some time, but no one scanned back on any port
    I doubt a human is doing the scanning, it's most likely an automated process... They're easy to make... Especially in python...

    I'm not worried about the port scans, it's only natural that I get scanned to see if I am infected with anything after visiting those types of sites, but what really caught my eye was the subpoena request info in the whois... But nihil straightened it out ...
    I am the uber duck!!1
    Proxy Tools

  7. #7
    Ide loose the web cam if i were u

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ide loose the web cam if i were u
    Instead of loosing the webcam... just point it at a picture of goatse or tubgirl.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •