This is kind of interesting...

Printable View

March 22nd, 2005, 05:18 AM
The Duck

This is kind of interesting...

Well, my friend gave me this link. I'm sure you've all heard of it, phazeddl.com... Well he wanted me to check something out, so I did. Well, I'm against that sort of thing, but needless to say, my friend is not. But that's besides the point...

So I'm like, ok this is retarted and I exit the site, only to have like 3 port scans seconds later. I'm wasn't surprised :rolleyes:...

Quote:

Somebody is scanning your computer.
Your computer's UDP ports:
33458, 33459, 33460, and 33462 have been scanned from 170.224.176.49..

Right off the bat, I know this is not a normal port scan because of the high port numbers they're scanning for, but big deal right? We get tons of these a day...

Well... I decided to trace it...

Quote:

OrgName: Sequent Computer Systems, Incorporated
OrgID: SCS-65
Address: 1000 River Street
City: Essex Junction
StateProv: VT
PostalCode: 05452
Country: US

NetRange: 170.224.0.0 - 170.227.255.255
CIDR: 170.224.0.0/14
NetName: SEQUENT-B
NetHandle: NET-170-224-0-0-1
Parent: NET-170-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.RALEIGH.USF.IBM.COM
NameServer: NS2.RALEIGH.USF.IBM.COM
Comment:
RegDate: 1995-04-21
Updated: 2001-04-06

TechHandle: ZI22-ARIN
TechName: IBM Corporation
TechPhone: +1-999-999-9999
TechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-03-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

Alright, ISP I guess... But this is not what catches my eye... I do a whois on the hop above this and get:

Quote:

OrgName: BellSouth.net Inc.
OrgID: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

NetRange: 65.80.0.0 - 65.83.255.255
CIDR: 65.80.0.0/14
NetName: BELLSNET-BLK9
NetHandle: NET-65-80-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
Comment:
Comment: For Abuse Issues, email [email protected]. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email [email protected] with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2000-11-28
Updated: 2003-05-05

AbuseHandle: ABUSE81-ARIN
AbuseName: Abuse Group
AbusePhone: +1-404-499-5224
AbuseEmail: [email protected]

TechHandle: JG726-ARIN
TechName: Geurin, Joe
TechPhone: +1-404-499-5240
TechEmail: [email protected]

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-499-5224
OrgAbuseEmail: [email protected]

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-03-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

If you guys havn't noticed yet I'll point it out to ya...

Quote:

Comment: For Abuse Issues, email [email protected]. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email [email protected] with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.

I'm guessing by this that somehow they are now watching me now? Or trying to anyway? I find this pretty interesting, and something I for one havn't noticed before on any other whois I have done before...

Just thought It might turn into a discussion, it's been pretty dead around here latly ;)...
March 22nd, 2005, 05:32 AM
ZT3000

I didn't go to the link but...

sometimes you notice this kind of behaviour often, as the port scans weren't really evil port scans per se....
It could simply be the website's valid packets still trying to communicate or complete communication, finding no one home (listening), then trying a few successive ports until ending the connection.
OR
It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??
:p
March 22nd, 2005, 05:39 AM
The Duck

But why would they try to connect to such odd ports?

Quote:

It could be the FBI and CIA have sniffed you out, locked on target and are secretly watching you thru your webcam (you thought was broke). Better grab some clothes, luggage and get out now while you can, Oh...by the way....after you've left...can I have your computer??

My thoughts exactly :p
March 22nd, 2005, 06:28 AM
ZT3000

They are not odd ports if:

You have a few programs (or more) running lots of open ports (doesn't have to be internet browser either), your operating system simply creates numerically higher port numbers (starting at 1026) to be open when requested/needed, example: tabbed browsing opens one port per tab, at least. (lame example I know, hey..it's late.)

So your browser sends out a http: request from port 33,458 to port 80 on the webserver which replies back to your port 33,458.

OR

If you have a particular program on ports 33,458-33,462, typically a "I'm spying on you" range. :D

J/K

(Edit: BTW, I scanned that IP you listed for quite some time, but no one scanned back on any port, ...shrugs...)
March 22nd, 2005, 01:22 PM
nihil

Hi,

I don't think the BellSouth links are bad news.............the "abuse" one is common for ISPs, it is where you report an incident.

The second link is for law enforcement agencies who have obtained a subpoena to request information............having agents physically moving around and talking to your staff is a waste of time for both parties?

Cheers
March 22nd, 2005, 01:36 PM
The Duck

Well, as of now, the site is down...

Aaaaah, I see nihil, I just have never noticed "subpoena" request info in a whois before.

zt3000, you are assuming a lot of things. Like the fact that I have programs listening on those ports, which I don't. And if my browser was sending SYN packets and the site was only replying to those SYN packets, my firewall wouldn't have picked it up as a port scan...

Quote:

I scanned that IP you listed for quite some time, but no one scanned back on any port

I doubt a human is doing the scanning, it's most likely an automated process... They're easy to make... Especially in python...

I'm not worried about the port scans, it's only natural that I get scanned to see if I am infected with anything after visiting those types of sites, but what really caught my eye was the subpoena request info in the whois... But nihil straightened it out :)...
March 22nd, 2005, 05:33 PM
michael737n

Ide loose the web cam if i were u
March 22nd, 2005, 05:51 PM
phishphreek

Quote:

Ide loose the web cam if i were u

Instead of loosing the webcam... just point it at a picture of goatse or tubgirl. ;)