Ethical response to port scanners?

I haven't had a great deal of trouble from people port scanning me in the past, so it seems odd to me when I have got scanned 28 times in the past 3 days. Some of you will laugh because this seems normal, but it just seems odd that its been in the past few days.

I'm running Windows XP Pro and using Sygate as my firewall, here is a snippet from the logs:

03/14/2004 07:04:20 Port Scan Minor Incoming TCP 68.16.128.2 00-50-57-00-EF-5F xxx.xxx.xxx.xxx my mac addy thadbme PEREGRIN Normal 1 03/14/2004 07:04:20 03/14/2004 07:04:20

These scans are coming in groups of three, and scanning for ports 2745, 1025, 3127, 6129 and 5000. What I mean by groups of three is the at three scans will appear within 10 seconds. So it appears that they are scanning for MyDoom, Beagle, and a few other ports.

Most of the scans appear to be coming from my home ISP, which is cox, but the excerpt that I gave you is from bellsouth.

Anyways, my question is whats the ethical thing to do here? Several of the scans came from the same address. I have reported that address to [email protected]. But I got one of those auto reply messages. And I fear its one of those messages where they think I'm paranoid or something.

I can't continue to mail the abuse address for all of the isp's as that would get out of hand quickly. And I realize that fighting back to some measure wouldn't be correct either. Any ideas? Also any idea why there would be a sudden increase in the past two days?

I think your best action is to simply ignore it. ISP's generally won't respond because of the extra man power in monitoring that activity, and since your firewall is preventing access to the same ports being asked over and over again, there is little good those scans are accomplishing for anyone.

Since the time intervals are so large, I don't forsee it even impacting your bandwidth. Be sure to block ICMP pings so that people can't even see that the IP is actually on the internet, which will lessen scans.

Other than that, simply let it go. No need to worry and fret.

I'm going to follow pooh on this one. Whatever you do, don't try to reply or hack back. That's when they won't just go away.

I would advise (if you have not already) to check your ports and make sure they are properly filtered excluding any public services. Ethicaly about all you can do is double check your own security and just know that the character of the person behind this scan is looking for the easy way in, backdoors left by automated worms.

To configure your ports and make sure there filtered.
Simpley go to your admin tools/policy editor and filter your ports from within them options.
If you think that those ports causing trouble then filter those ports asap.
because they might not be your isp and someone else.
Even though your firewall is blocking those ports your firewall can be brought down. Yes it is possible.
Trust me I have broguth down a sygate firewall with a port scanning utility.
So be advised and very careful that you configure everything accordingly.
Good luck.

I was just kind of curious at why there would be a rise in it all of a sudden. Its almost like I'm being targeted, because Its always scanning for the previously mentioned ports. I'm beginning to wonder if its really someone attacking me, or its a zombie computer that have been infected and is attacking. For all I know they could be scanning the entire subnet, which is some information I was hoping to get from cox, but I really doubt that is going to happen. I already knew the ignore it option. I really wanted to put this out there for the newbie security questions, and was hoping that someone else might be able to explain the why me, why now question, especially since the bugs that its trying to exploit have been out for awile now. And also hoping someone would know of a magic bullet that I could respond with other than the aforementioned. Thanks for the opinions.

Have you considered reporting it to incidents.org? It might be an indication of an upcoming attack or new vulnerability.

Interesting MsM. I think I'll report it to those folks when I get home. I doubt that its a new incident judging from some of the ports, (2745 = beagle, 3127 = MyDoom) however the rest it could be. I'll see what incidents has to say about it, maybe they can figure something out!

I'm going to have to agree with the general sentiment of the replies in that, it's not worth the effort to get your panties in a bunch (like I used to) over port scans/connection attempts. About the only time I hit the panic button is when I start seeing sh*t loads of connection attempts/scans to a certain port like the MS SQL worm and port 1434 (my logs recorded over 60 attempts in less than 20 minutes on my home PC).
With things like IP spoofing, hijacked computers, proxies, and redirects, there really is no way in telling exactly what or who you're dealing with any absolute certainty (unless you're one lucky bastard). You also don't want to crucify the wrong person for attacking you when they might not even have any idea that their computer is compromised in the first place.
Honestly, it irritated me to no end that my firewall logs were still getting clogged with ICMP traffic from infected computers long after the alert went out about the Welchia worm to the general public. In any event, what I'm saying is pay attention to your logs but don't go overboard.

Perfect example - while I was typing this post my firewall logged 11 connection attempts to my DCOM port :D

Quote:

---

Originally posted here by thadbme
I was just kind of curious at why there would be a rise in it all of a sudden. Its almost like I'm being targeted, because Its always scanning for the previously mentioned ports. I'm beginning to wonder if its really someone attacking me, or its a zombie computer that have been infected and is attacking. For all I know they could be scanning the entire subnet, which is some information I was hoping to get from cox, but I really doubt that is going to happen. I already knew the ignore it option. I really wanted to put this out there for the newbie security questions, and was hoping that someone else might be able to explain the why me, why now question, especially since the bugs that its trying to exploit have been out for awile now. And also hoping someone would know of a magic bullet that I could respond with other than the aforementioned. Thanks for the opinions.

---

I am on Cox Cable High Speed Internet and get scanned all the time from the same subnet that I am on...(As well as others) Cox occasionally does port scans from their DNS servers as well. I think they are looking for people running webservers. (Which is against their terms of service for residential customers)

Ummm...........Whenever I get a port scan I usually just block the whole range, Unless I know where it's comming from like Kazaa, Anti-Online....ect

Since they own the IP segment, they are probably scanning for infected machines on their segment so they can notfiy infected users that their machines have been compromised.

-Maestr0

Ok I'll shorten it a great deal, but I got this in response from cox.....

Cox.net/CoxCom, your cable Internet service provider, has
received complaints from other users within the Internet
community that your computer has been used to send
unauthorized probes against their systems. These complaints
contained logs of the network traffic showing the use of
your CoxCom account to scan other computers via the
Internet.

"blah blah blah tells you what a system probe is, tells you to not do it again"

The complete AUP can be found here:

http://support.cox.net/custsup/polic...tableuse.shtml

Thank you,
Abuse and AUP Management
Cox Communications Inc.


*** NOTE TO SUBSCRIBER ***


If you are not aware of this activity by anyone with direct access to your
computer(s), then one or more of your computers may be compromised with one or
more Trojan Viruses. There are a number of malicious 'remote access trojans'
(RAT) that are frequently used to relay malicious activity through a victim's
machine. We recommend you check any systems connected through your cable modem
for such compromises. Update and run any Anti-virus program(s) you might
have.

Please note that common Anti-virus products may have considerable difficulty
detecting and/or removing trojans because they often use legitimate software
packages such as mIRC or Wingate. Please make efforts to ensure that any
systems attached to the Cox HSI network are free of any viruses, worms, or
trojans. In the event that you are running a wireless network, please be
certain that it is secure and neighbors and/or strangers are not using your
service without your knowledge. If necessary, please remove any suspect
machines from the Cox network until the problems can be located and fixed. If
you are unable to locate the source of this email, please have a professional
investigate and clean the compromised system. We appreciate your help in
resolving this matter.


Please review the Cox HSI Acceptable Use Policy located at the following
address:

http://support.cox.net/custsup/polic...tableuse.shtml

Some ways to protect yourself against future unauthorized access:

1) Use a broadband gateway
2) Manually run Windows Updates and Enable automatic Windows Updates by visiting http://windowsupdate.microsoft.com. (critical OS security patches)
3) If MS Office suite is installed, regularly run MS Office updates by visiting http://office.microsoft.com/OfficeUpdate/default.aspx (Critical office security patches)
4) Disable unnecessary services (web, ftp, mail servers)
5) Consider using an additional software firewall with application protection
to ensure only programs with permission speak on the network
6) Disable automatic saving of attachments in Outlook express or Outlook
7) Disable html in email
8) Keep Instant messengers and other always-on services updated and patched
9) Never run files from untrusted sources (peer-to-peer networks, Usenet, IRC,
Web)
10) Limit and monitor activity by minors using systems in household


Sincerely,

The Cox Customer Security Department



--- The following material was provided to us as evidence ---


[Part 0 (plain text)]

I have attached the security logs from my firewall from what is no doubt an
abusive user. My immediate reaction was to scan them in return, however I
decided to cancel this route as it would not be preferred. Please let me know
what can be done.
X

03/12/2004 02:43:32 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:32
03/12/2004 02:43:32

03/12/2004 02:43:26 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:26
03/12/2004 02:43:26
03/12/2004 02:43:23 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:23
03/12/2004 02:43:23

Ok sorry for the long post... but they use MY OWN EVIDENCE to say that I was the one attacking, not to mention I have the original logs. Opinions on this? This has almost upset me to the point of wanting another ISP, but unfortunately at this time I cannot switch. Thoughts??

It's quite possible that they have a program that reads the abuse mailbox, attempts to parse it and sends out notifications without ever having an actual human intervene. Maybe the auto abuse-mail-reader misinterpreted your logs, thinking that you were were complaining about yourself. I've had this scenario happen several times with different ISP's and backbone providers. If you submit your request again, with some language indicating that you've already tried to submit it once, but it was mis-interpreted they may read the log entries for what they actually are. Failing all that, you could give them a call.

--Ben

Call them and get a technical support 'specialist' or whatever the **** (I know those call centers are a nightmare) they are and try to be very nice and explain they made a boo-boo. As far as the scans from your ISP go, you can eat it or switch, its their network and they are trying to keep it clean. If you cant take a portscan stay outta the internet. :)

-Maestr0

I can handle the port scan's I'll assure you. The main reason I posted was to ask the question why the sudden increase. I think that I might have to call cox and complain or something.

I think the autoparse response is probably correct. Anyways thanks for listening.

If I'm not mistaken, port 5000 is the Universal Plug and Play port address....there is a tool at grc.com that can close it permanently if you don't need it.

Ouroboros

thadbme, when I file complaints with my cable provider I usually get a copy of the email. It strikes me that they've sent you a copy of the note they've sent to the "attacker". Before making an assumption, check to see if you were BCC'd. The fact that it's your own evidence would lead me to think that more than them accusing you of an "attack".

negative MsM. I'm in the To: category, on top of that they sanitized the other IP which was the real attacker, I only sanitized my IP and mac address. I'm thinking its going back to the auto parse theory. It doesn't appear to be a personalized email, rather just my information had been inserted.

Are there ethics here? I believe you should saet your firewall to block those ports and attempt to trace,as illegal hacks can be reported.

Way ahead of you. The ports are already blocked, and they have been reported. The trace goes back to my home subnet, which is cox. I've attached the reply from cox if you'll scroll up a bit. The ethics question came in as should I fight back, or whats a better way to do other than what I've already did type deal.

There's not much more that you can do short of breaking the law. Technically, AFAIK, scanning is a legal activity. It happens to many people and recent upswings may be indications of kiddies finding new tools and having not enough homework. (I'm hugely generalizating here but I think you get the point). Keep in mind that as long as your firewall is responding it's doing the job it's supposed to do. I'd be more worried about what it might not pick up rather than that it is picking things up.

Trace and locate without illegal activities