Jump to content
Sign in to follow this  
colman

Portscan Intrusion

Recommended Posts

Greetings,

Last night, my computer received a Portscan Intrusion.

The attack was done by a computer with an IP address of 218.106.151.128.

Fortunately, my Firewall, Norton, stopped the assault. However, I would like to report the person responsible for the attack. What should I do?

Share this post


Link to post
Share on other sites

That IP originates from China, I doubt reporting it would do anything. You should be grateful you have only received 1 intrusion, our servers receive thousands a day. Much of this is nothing and yes some are serious. What kind of scan was it?

Share this post


Link to post
Share on other sites

While I agree with Merlyn that reporting this specific attack is probably useless (as are most "attacks" you will see with a software firewall (many are normal internet traffic of very little consequence) you could use this to learn how to track an address. I use a very limited depth search to send my manual LARTs. Others go into much more detail.

If you go to the parser at www.spamcop.net, you can get a reporting address (or at least what network to look for an abuse address).

Reporting addresses:

chenrong[at]china-netcom.com

fj-fz-ipaddress[at]china-netcom.com

You could then take that information and plug it into the web lookup tool at www.abuse.net and get:

postmaster[at]china-netcom.com (for china-netcom.com)

daihy[at]china-netcom.com (for china-netcom.com)

tech-group[at]china-netcom.com (for china-netcom.com)

cncsummary[at]special.abuse.net (for china-netcom.com)

You could also try looking at the networks web page for a network abuse reporting address.

Share this post


Link to post
Share on other sites
That IP originates from China, I doubt reporting it would do anything.  You should be grateful you have only received 1 intrusion, our servers receive thousands a day.  Much of this is nothing and yes some are serious.  What kind of scan was it?

24094[/snapback]

Don't tell me how I should feel.

One intrusion is too many!

The attacks have been happening for years and nothing has been done about them. So, now I would like to do Something about this one. Anything would be better than silence.

Norton calls it a Portscan intrusion.

Share this post


Link to post
Share on other sites

Norton calls a thousand different scans Portscan intrusions and most of them mean nothing. Just background noise on the internet.

Firewalls can be very dangerous if you do not understand what is happening.

Share this post


Link to post
Share on other sites
Firewalls can be very dangerous if you do not understand what is happening.

24100[/snapback]

This retort is rude and antagonistic.

What is your problem?

Share this post


Link to post
Share on other sites
This retort is rude and antagonistic.

Hardly. The indelicate description is "goober with firewall" .... The "net" is a giant network. All kinds of traffic abounds out there. The critical item you either missed, didn't address, or are simply ognoring is that if your firewall says the "attack" was stopped, it did its job. The "lookup" table used to "identify" activity is from a database .. and hint, hint .. like all Symantec products, the sounding of alarms and ringing of bells is primarily there to let the user know that something is happening with the software that money had just been blown on. (The most famous being CrashGuard .. and when folks come in crying about ow often their computer was crashing, asdvice offered was to remove CrashGuard and guess what .. the computer stopped crashing ...????)

What is your problem?

I would suggest that the problem suggested is elsewhere.

Do a Google on places/things like DShield, MyNetWatchman .... they take (some) firewall logs and deal with some of that provided data .....

Share this post


Link to post
Share on other sites
This retort is rude and antagonistic.

What is your problem?

24105[/snapback]

Don't tell me how I should feel.

One intrusion is too many!

Your responses are rude and antagonistic, especially to very simple statements. Did you come here for help or to start a flame war? If you didn't want responses, you probably should not have posted here.

Firewalls can be dangerous with a little knowledge, and can be quite helpful with more than just a little knowledge. Learning your firewall and its alerting system can assist you better than a community forum that doesn't have anything to do with your firewall system.

I've gotten a ton of help here, and I've found that sugar always works better than vinegar.

Share this post


Link to post
Share on other sites
Don't tell me how I should feel.

One intrusion is too many!

The attacks have been happening for years and nothing has been done about them. So, now I would like to do Something about this one. Anything would be better than silence.

Norton calls it a Portscan intrusion.

Go to blackholes.us, DL the zone files for the various countries and add them to your firewall. That will stop about half the intrusions.

One intrusion is nothing. Continuous banging gets a firewall block. Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at. Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.

Securing your machine and keeping it secure is the way to go. Since its a Windows box, it should be behind a firewall, not on the Internet directly. No Windows machine should be directly on the net. Only then will you be a good netizen. Even after that, you should still follow strict security practices. Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.

Share this post


Link to post
Share on other sites
That IP originates from China, I doubt reporting it would do anything.  You should be grateful you have only received 1 intrusion, our servers receive thousands a day.  Much of this is nothing and yes some are serious.  What kind of scan was it?

24094[/snapback]

You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'.

I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him)

Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases).

BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.

Share this post


Link to post
Share on other sites
BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.

Oh, but it is a nice dream! Fortunately, most of the people who /could/ do that know that the 'effort is not worth it' so you are not encouraging people to do illegal things. I hope that the OP doesn't consider that you are being condescending.

Miss Betsy

Share this post


Link to post
Share on other sites
No Windows machine should be directly on the net. 

24147[/snapback]

What I tell our remote reps is that they should never be on the internet unprotected. When you connect to the internet, you're connecting to computers who have connected to other computers who have connected to other computers who have connected to other computers and so on and so on. If you practice safe hex, then you're good to go.

/ok so it's a bad pun and i could have found a better word than hex.... :rolleyes:

Share this post


Link to post
Share on other sites
Go to blackholes.us, DL the zone files for the various countries and add them to your firewall.  That will stop about half the intrusions.

One intrusion is nothing.  Continuous banging gets a firewall block.  Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at.  Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.

Securing your machine and keeping it secure is the way to go.  Since its a Windows box, it should be behind a firewall, not on the Internet directly.  No Windows machine should be directly on the net.  Only then will you be a good netizen.  Even after that, you should still follow strict security practices.  Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.

24147[/snapback]

A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×