This is kind of interesting...

[The Duck]

Well, my friend gave me this link. I'm sure you've all heard of it, phazeddl.com... Well he wanted me to check something out, so I did. Well, I'm against that sort of thing, but needless to say, my friend is not. But that's besides the point...

So I'm like, ok this is retarted and I exit the site, only to have like 3 port scans seconds later. I'm wasn't surprised ...

Somebody is scanning your computer.
Your computer's UDP ports:
33458, 33459, 33460, and 33462 have been scanned from 170.224.176.49..

Right off the bat, I know this is not a normal port scan because of the high port numbers they're scanning for, but big deal right? We get tons of these a day...

Well... I decided to trace it...

OrgName: Sequent Computer Systems, Incorporated
OrgID: SCS-65
Address: 1000 River Street
City: Essex Junction
StateProv: VT
PostalCode: 05452
Country: US

NetRange: 170.224.0.0 - 170.227.255.255
CIDR: 170.224.0.0/14
NetName: SEQUENT-B
NetHandle: NET-170-224-0-0-1
Parent: NET-170-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.RALEIGH.USF.IBM.COM
NameServer: NS2.RALEIGH.USF.IBM.COM
Comment:
RegDate: 1995-04-21
Updated: 2001-04-06

TechHandle: ZI22-ARIN
TechName: IBM Corporation
TechPhone: +1-999-999-9999
TechEmail: noc@ibm.com

# ARIN WHOIS database, last updated 2005-03-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

Alright, ISP I guess... But this is not what catches my eye... I do a whois on the hop above this and get:

OrgName: BellSouth.net Inc.
OrgID: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

NetRange: 65.80.0.0 - 65.83.255.255
CIDR: 65.80.0.0/14
NetName: BELLSNET-BLK9
NetHandle: NET-65-80-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
Comment:
Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2000-11-28
Updated: 2003-05-05

AbuseHandle: ABUSE81-ARIN
AbuseName: Abuse Group
AbusePhone: +1-404-499-5224
AbuseEmail: abuse@bellsouth.net

TechHandle: JG726-ARIN
TechName: Geurin, Joe
TechPhone: +1-404-499-5240
TechEmail: ipoperations@bellsouth.net

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-499-5224
OrgAbuseEmail: abuse@bellsouth.net

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: ipoperations@bellsouth.net

# ARIN WHOIS database, last updated 2005-03-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

If you guys havn't noticed yet I'll point it out to ya...

Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.

I'm guessing by this that somehow they are now watching me now? Or trying to anyway? I find this pretty interesting, and something I for one havn't noticed before on any other whois I have done before...

Just thought It might turn into a discussion, it's been pretty dead around here latly ...

[ZT3000]

I didn't go to the link but...

sometimes you notice this kind of behaviour often, as the port scans weren't really evil port scans per se....
It could simply be the website's valid packets still trying to communicate or complete communication, finding no one home (listening), then trying a few successive ports until ending the connection.
OR
It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??

[The Duck]

But why would they try to connect to such odd ports?

It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??

My thoughts exactly

[ZT3000]

They are not odd ports if:

You have a few programs (or more) running lots of open ports (doesn't have to be internet browser either), your operating system simply creates numerically higher port numbers (starting at 1026) to be open when requested/needed, example: tabbed browsing opens one port per tab, at least. (lame example I know, hey..it's late.)

So your browser sends out a http: request from port 33,458 to port 80 on the webserver which replies back to your port 33,458.

OR

If you have a particular program on ports 33,458-33,462, typically a "I'm spying on you" range.

J/K

(Edit: BTW, I scanned that IP you listed for quite some time, but no one scanned back on any port, ...shrugs...)

[nihil]

Hi,

I don't think the BellSouth links are bad news.............the "abuse" one is common for ISPs, it is where you report an incident.

The second link is for law enforcement agencies who have obtained a subpoena to request information............having agents physically moving around and talking to your staff is a waste of time for both parties?

Cheers

[The Duck]

Well, as of now, the site is down...

Aaaaah, I see nihil, I just have never noticed "subpoena" request info in a whois before.

zt3000, you are assuming a lot of things. Like the fact that I have programs listening on those ports, which I don't. And if my browser was sending SYN packets and the site was only replying to those SYN packets, my firewall wouldn't have picked it up as a port scan...

I scanned that IP you listed for quite some time, but no one scanned back on any port

I doubt a human is doing the scanning, it's most likely an automated process... They're easy to make... Especially in python...

I'm not worried about the port scans, it's only natural that I get scanned to see if I am infected with anything after visiting those types of sites, but what really caught my eye was the subpoena request info in the whois... But nihil straightened it out ...

[michael737n]

Ide loose the web cam if i were u

[phishphreek]

Ide loose the web cam if i were u

Instead of loosing the webcam... just point it at a picture of goatse or tubgirl.