Port scanning

[ronandamee1]

I know this is not a hacking forum, but someone might know something. I downloaded the Sygate personal firewall http://download.com.com/3000-2092-10247416.html?tag=lst-0-1 It seems like my Ports get scanned every ten minutes. What could that be? There are only 2 different ip's doing it. I am confused as to if I should be worried.

[fatkid]

Are you on a LAN with other computers around?  Chances are, if its the same computers over and over, that they are infected with a virus that is running the port scans.  If on a LAN, and if you have a SysAdmin, call him/her up and tell him the IPs that keep scanning you... They can shut them down, as they should... If you are the SysAdmin ;), then just go check all the computers that are on your LAN for a virus of some sorts, or some bastard doing port scans on the LAN... Also you can do a tracert command on the IPs and find the ISP through the jumps it makes... Then you can call up their ISP and tell them what is going on... Believe me, they want to know if people are running IP scans behind their lines... If you need help with any of this just let me know... A little more info on your network would really be helpful to in narrowing this down...

[DEBKARLAR]

so fatkid anytime i see a portscan coming from an IP addy i should backtrace to last IP and email them saying I'm geting scan by a user from your domain thier Ip is.....should we take a screen shot and send it to abuse@thescannersip.com ?

[ronandamee1]

I am not on a lan or network. I have windows xp Ie6 and i have comcast cable internet.

[bob@pogopal]

Well, YZ, that makes your computer one of those computers most highly coveted by script kiddies--a fast internet connection that is on all the time. Those properties mean you are unlikely to notice when they install software on your computer, your computer can pump out a lot of traffic during a DDOS attack and your computer is highly available to the s'kiddie.

My computer got exploited a while ago, but the script kiddie did not get very far before I noticed my dial-up was working hard when I wasn't telling it to work at all. The only advantage to having no high-speed internet access available.

[Homer]

Wouldn't you be able to block these attempts with a firewall? ???

[ronandamee1]

Well, YZ, that makes your computer one of those computers most highly coveted by script kiddies--a fast internet connection that is on all the time. Those properties mean you are unlikely to notice when they install software on your computer, your computer can pump out a lot of traffic during a DDOS attack and your computer is highly available to the s'kiddie.

My computer got exploited a while ago, but the script kiddie did not get very far before I noticed my dial-up was working hard when I wasn't telling it to work at all. The only advantage to having no high-speed internet access available.

Thanks Bob, now I feel like I am being violated everytime I turn the computer on!...j/k

I have sygate, hopefully it is stopping the little bastards. Worst case scenario - System restore.

[fatkid]

YZ, I wouldn't worry about it too much... You can tracert the IP in a command prompt if you want to... The fact that SyGate is warning you about the hits should be enough to let you know that it is working and they aren't able to do everything they want.  Furthermore bob is fairly correct in responce to the script kiddies at work on your computer... Having some "experience" in the matters (hey we all gotta learn our respective trades one way or another, and every geek will spend his/her time at one point being a n00b and a script kiddie  :-) of IP range scans, cable and dsl connections are just ok; not too great, not too bad... As you said, you have comcast... I would wager your upload speed maxes out somewhere around 30kBs, unless you pay for a better package than the standard...  The real target though for the scanners/rooters are .edu lines (college campus computers)... When I lived on campus I had a maximum upload speed of 1200kBs all to myself in my dorm room... At my work computer (in the school library) I have over 12,000kBs... And it's pretty easy to do... All you need is an IP scanning tool, a root kit, and an IP index... From my own experience in the nature, when I was on an IP index website, I tended to look only at the .edus... Like for my school we own all IPs in the range of 128.187.xxx.xxx.... So I just started at 128.187.0.1 and went all the way up to 128.187.255.255... Now you can guess how many students in college actually protect their computers properly (not many ::))... Anyways (though DOS was never a concern of mine; for the record I f*cking hate the DDOS script kiddies) with a 1200kBs upload speed you can reek the real DOS (Distributed Denial of Service; it's a type of web attack) havoc with the edu lines... If your connection is really rooted out yz, it very well could be for some script kids bot.net, but I'd more than wager it's for some kind of IRC bot...  The IRC bot masters love to fill their main chans with XDCC bots to send out any type of warez to the public, and in the main channels they don't mind using cable/dsl connections to do so; in their distro channels though is usually where you can find the 10mb and 100mb connections... Anyways, I'm probably going a little too deep for some on here, so I'll shut up now...  :)

Anyways, my suggestions yz, would be to keep SyGate up and running, and virus scan the crap out of your computer (especially running it in safe mode and then run the virus scan)... If those IPs keep hitting you, post up the IP # and I (as I'm sure many others) can tracert the IP and give you some more info on them to write their ISP about...

[ronandamee1]

OMG fatkid,
                   Pogo is down, so I have been waiting here for you to pots for like half an hour now thinking what the hell is he doing. Now I know. Thanks alot for the post. It seems very helpful.  I Appreciate your help..... ;D

[fatkid]

Yeah, I tried to keep that post on the lite side... I've been know to past 3 to 4 pages in one post on the topics... DJ and I used to wax philosophical all the time back in the day... Now I try to control my posts and keep them short and sweet... :)

[Maelstrom]

Sygate and Zonealarm are 2 great firewalls. I use them both actually. In case one of them doesn't catch anything, the other is sure to but I'm not saying their foolproof. Just good measures to have if you are on any kind of broadband or ISDN.

If being port scanned is frightening you at all hours of the day, there are some options in firewalls that will allow you to close un-used ports so you can minimize the threat. Still the great thing about firewalls is you are asked for what programs access the internet. Just be sure you know what programs they are, you can do a search for that particular file easy, and if it's un-familiar to you then don't allow access. Same thing goes for standalone IP's that want access to your pc, which most firewalls will ask you if you want so-and-so to 'act' as a server(Like IRC, or a Instant Messenger).
If your not running any of these that use your pc to interact with others, then deny immediately.

I don't know if this works or not, but I've been told that typing in @Echo in your DOS command prompt, and leaving the window open will make anything done to your pc bounce back at the attacker. I'm no hacking genius, but I believe if a hacker had total control over my pc, un-plugging your power and internet connections would be the only way of stopping it. Viruses and trojans can be dealt with manually if you have the means.

[Santa69]

I don't know if this will help or not but you can try here http://www.grc.com/ they have a couple of nice programs for testing you firewall and your computers security

[evilone373]

i am by no means computer knowledgeable but on my firewall it has a lockdown option,supposedly nothing can get in or leave my comp. quicker than unhooking the modem.and would that be overkill if i also have the router firewall? i have heard to much of one thing just slows the comp. down a little? and yz i got the mcafee security center free for a year by having comcast cable.and you can track and report pings and such thru it.
actually i think it automatically goes to hackerwatch.org if someone tries to ping or port scan your comp.