Jump to content

Portscan Intrusion


colman

Recommended Posts

Greetings,

Last night, my computer received a Portscan Intrusion.

The attack was done by a computer with an IP address of 218.106.151.128.

Fortunately, my Firewall, Norton, stopped the assault. However, I would like to report the person responsible for the attack. What should I do?

Link to comment
Share on other sites

That IP originates from China, I doubt reporting it would do anything. You should be grateful you have only received 1 intrusion, our servers receive thousands a day. Much of this is nothing and yes some are serious. What kind of scan was it?

Link to comment
Share on other sites

While I agree with Merlyn that reporting this specific attack is probably useless (as are most "attacks" you will see with a software firewall (many are normal internet traffic of very little consequence) you could use this to learn how to track an address. I use a very limited depth search to send my manual LARTs. Others go into much more detail.

If you go to the parser at www.spamcop.net, you can get a reporting address (or at least what network to look for an abuse address).

Reporting addresses:

chenrong[at]china-netcom.com

fj-fz-ipaddress[at]china-netcom.com

You could then take that information and plug it into the web lookup tool at www.abuse.net and get:

postmaster[at]china-netcom.com (for china-netcom.com)

daihy[at]china-netcom.com (for china-netcom.com)

tech-group[at]china-netcom.com (for china-netcom.com)

cncsummary[at]special.abuse.net (for china-netcom.com)

You could also try looking at the networks web page for a network abuse reporting address.

Link to comment
Share on other sites

That IP originates from China, I doubt reporting it would do anything.  You should be grateful you have only received 1 intrusion, our servers receive thousands a day.  Much of this is nothing and yes some are serious.  What kind of scan was it?

24094[/snapback]

Don't tell me how I should feel.

One intrusion is too many!

The attacks have been happening for years and nothing has been done about them. So, now I would like to do Something about this one. Anything would be better than silence.

Norton calls it a Portscan intrusion.

Link to comment
Share on other sites

This retort is rude and antagonistic.

Hardly. The indelicate description is "goober with firewall" .... The "net" is a giant network. All kinds of traffic abounds out there. The critical item you either missed, didn't address, or are simply ognoring is that if your firewall says the "attack" was stopped, it did its job. The "lookup" table used to "identify" activity is from a database .. and hint, hint .. like all Symantec products, the sounding of alarms and ringing of bells is primarily there to let the user know that something is happening with the software that money had just been blown on. (The most famous being CrashGuard .. and when folks come in crying about ow often their computer was crashing, asdvice offered was to remove CrashGuard and guess what .. the computer stopped crashing ...????)

What is your problem?

I would suggest that the problem suggested is elsewhere.

Do a Google on places/things like DShield, MyNetWatchman .... they take (some) firewall logs and deal with some of that provided data .....

Link to comment
Share on other sites

This retort is rude and antagonistic.

What is your problem?

24105[/snapback]

Don't tell me how I should feel.

One intrusion is too many!

Your responses are rude and antagonistic, especially to very simple statements. Did you come here for help or to start a flame war? If you didn't want responses, you probably should not have posted here.

Firewalls can be dangerous with a little knowledge, and can be quite helpful with more than just a little knowledge. Learning your firewall and its alerting system can assist you better than a community forum that doesn't have anything to do with your firewall system.

I've gotten a ton of help here, and I've found that sugar always works better than vinegar.

Link to comment
Share on other sites

Don't tell me how I should feel.

One intrusion is too many!

The attacks have been happening for years and nothing has been done about them. So, now I would like to do Something about this one. Anything would be better than silence.

Norton calls it a Portscan intrusion.

Go to blackholes.us, DL the zone files for the various countries and add them to your firewall. That will stop about half the intrusions.

One intrusion is nothing. Continuous banging gets a firewall block. Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at. Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.

Securing your machine and keeping it secure is the way to go. Since its a Windows box, it should be behind a firewall, not on the Internet directly. No Windows machine should be directly on the net. Only then will you be a good netizen. Even after that, you should still follow strict security practices. Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.

Link to comment
Share on other sites

That IP originates from China, I doubt reporting it would do anything.  You should be grateful you have only received 1 intrusion, our servers receive thousands a day.  Much of this is nothing and yes some are serious.  What kind of scan was it?

24094[/snapback]

You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'.

I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him)

Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases).

BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.

Link to comment
Share on other sites

BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.

Oh, but it is a nice dream! Fortunately, most of the people who /could/ do that know that the 'effort is not worth it' so you are not encouraging people to do illegal things. I hope that the OP doesn't consider that you are being condescending.

Miss Betsy

Link to comment
Share on other sites

No Windows machine should be directly on the net. 

24147[/snapback]

What I tell our remote reps is that they should never be on the internet unprotected. When you connect to the internet, you're connecting to computers who have connected to other computers who have connected to other computers who have connected to other computers and so on and so on. If you practice safe hex, then you're good to go.

/ok so it's a bad pun and i could have found a better word than hex.... :rolleyes:

Link to comment
Share on other sites

Go to blackholes.us, DL the zone files for the various countries and add them to your firewall.  That will stop about half the intrusions.

One intrusion is nothing.  Continuous banging gets a firewall block.  Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at.  Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.

Securing your machine and keeping it secure is the way to go.  Since its a Windows box, it should be behind a firewall, not on the Internet directly.  No Windows machine should be directly on the net.  Only then will you be a good netizen.  Even after that, you should still follow strict security practices.  Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.

24147[/snapback]

A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...