| Author |
Message |
Guest
|
 Posted:
Tue Oct 18, 2005 10:01 pm Post subject:
Port scans. What are these? |
|
|
Hi people. I get constant & regular port scans from these IP
addresses:
61.137.117.208
61.233.40.205
61.237.29.102
61.237.3.70
61.235.144.86
Severity: Minor
Direction: Incoming
Protocol: UDP
ARIN and RIPE whois servers don't give any information about any
of these addresses. It kinda bugs me because they're constant
scans. Probably caused by some application I've installed (like
automatic update check or...)
Could anyone enlighten me? Thanks in advance. |
|
| Back to top |
|
 |
Chris
Guest
|
| Posted:
Tue Oct 18, 2005 10:05 pm Post subject:
Re: Port scans. What are these? |
|
|
<kmtanner@cyberspace.org> wrote in message
news:1129654908.793897.68240@g49g2000cwa.googlegroups.com...
| Quote: | Hi people. I get constant & regular port scans from these IP
addresses:
61.137.117.208
61.233.40.205
61.237.29.102
61.237.3.70
61.235.144.86
Severity: Minor
Direction: Incoming
Protocol: UDP
ARIN and RIPE whois servers don't give any information about any
of these addresses. It kinda bugs me because they're constant
scans. Probably caused by some application I've installed (like
automatic update check or...)
Could anyone enlighten me? Thanks in advance.
|
inetnum: 61.137.0.0 - 61.137.127.255
netname: CHINANET-HN
country: CN
descr: CHINANET Hunan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
admin-c: CH93-AP
tech-c: YX69-AP
status: ALLOCATED NON-PORTABLE
changed: lqing@chinatelecom.com.cn 20050825
mnt-by: MAINT-CHINANET
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam
complaint to anti-spam@ns.chinanet.cn.net
source: APNIC
person: Yali Xiao
address: Hunan Data Communication Bureau No.9 middle wuyi road
ChangSha city,Hunan ,P.R.China 410011
country: CN
phone: +86-731-2260079
fax-no: +86-731-2265549
e-mail: liul@hnpta.net.cn
nic-hdl: YX69-AP
mnt-by: MAINT-CHINANET-HUNAN
changed: liul@hndcb.hnpta.net.cn 20010523
source: APNIC
inetnum: 61.233.40.0 - 61.233.40.255
netname: CRHbYqS
country: CN
descr: China Railcom Hebei Yangquan Subbranch
descr: Telecommunication Company
descr: Yangquan City,Shanxi Province
admin-c: LQ112-AP
tech-c: LM273-AP
status: ASSIGNED NON-PORTABLE
changed: wangpei@crc.net.cn 20030731
mnt-by: MAINT-CN-CRTC
source: APNIC
person: LV QIANG
nic-hdl: LQ112-AP
e-mail: crnet_mgr@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51892106
fax-no: +86-10-51890674
country: CN
changed: ipas@cnnic.net.cn 20050823
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: liu min
nic-hdl: LM273-AP
e-mail: crnet_tec@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51848796
fax-no: +86-10-51842426
country: CN
changed: ipas@cnnic.net.cn 20041208
mnt-by: MAINT-CNNIC-AP
source: APNIC
inetnum: 61.232.0.0 - 61.237.255.255
netname: CRTC
country: CN
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c: LQ112-AP
tech-c: LM273-AP
status: ALLOCATED PORTABLE
changed: ipas@cnnic.net.cn 20030121
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: LV QIANG
nic-hdl: LQ112-AP
e-mail: crnet_mgr@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51892106
fax-no: +86-10-51890674
country: CN
changed: ipas@cnnic.net.cn 20050823
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: liu min
nic-hdl: LM273-AP
e-mail: crnet_tec@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51848796
fax-no: +86-10-51842426
country: CN
changed: ipas@cnnic.net.cn 20041208
mnt-by: MAINT-CNNIC-AP
source: APNIC |
|
| Back to top |
|
|
Michal Jaegermann
Guest
|
|
| Back to top |
|
|
Guest
|
|
| Back to top |
|
|
Renegade
Guest
|
| Posted:
Wed Oct 19, 2005 12:58 am Post subject:
Re: Port scans. What are these? |
|
|
On Tue, 18 Oct 2005 10:01:48 -0700, kmtanner wrote:
| Quote: | Hi people. I get constant & regular port scans from these IP
addresses:
61.137.117.208
61.233.40.205
61.237.29.102
61.237.3.70
61.235.144.86
Severity: Minor
Direction: Incoming
Protocol: UDP
ARIN and RIPE whois servers don't give any information about any
of these addresses. It kinda bugs me because they're constant
scans. Probably caused by some application I've installed (like
automatic update check or...)
Could anyone enlighten me? Thanks in advance.
|
I don't know if this really helps you or not, but www.apnic.net reports
those ip's as being Chinese owned.
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 61.232.0.0 - 61.237.255.255
netname: CRTC
country: CN
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c: LQ112-AP
tech-c: LM273-AP
status: ALLOCATED PORTABLE
changed: ipas@cnnic.net.cn 20030121
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: LV QIANG
nic-hdl: LQ112-AP
e-mail: crnet_mgr@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51892106
fax-no: +86-10-51890674
country: CN
changed: ipas@cnnic.net.cn 20050823
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: liu min
nic-hdl: LM273-AP
e-mail: crnet_tec@chinatietong.com
address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone: +86-10-51848796
fax-no: +86-10-51842426
country: CN
changed: ipas@cnnic.net.cn 20041208
mnt-by: MAINT-CNNIC-AP
source: APNIC |
|
| Back to top |
|
|
Guest
|
| Posted:
Wed Oct 19, 2005 2:57 am Post subject:
Re: Port scans. What are these? |
|
|
Thanks a lot guys. I have absolutely no idea why I'm getting these
scans from China. I have no business
associates there - nor any other transactions. Perhaps Chinese want to
get my business and make
me unemployed too. ;-)
Thanks for the Apnic site link. RIPE and ARIN don't seem to work very
well for me. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Oct 19, 2005 7:31 am Post subject:
Re: Port scans. What are these? |
|
|
In article <1129672664.244934.47600@g14g2000cwa.googlegroups.com>,
kmtanner@cyberspace.org says...
| Quote: | Thanks a lot guys. I have absolutely no idea why I'm getting these
scans from China. I have no business
associates there - nor any other transactions. Perhaps Chinese want to
get my business and make
me unemployed too. ;-)
Thanks for the Apnic site link. RIPE and ARIN don't seem to work very
well for me.
|
I block BUNCHES of subnets outside the USA and China is one of the
largest that I block - we've cut spam and probes by 80% just blocking
foreign countries where we have no contacts.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Thu Oct 20, 2005 12:50 am Post subject:
Re: Port scans. What are these? |
|
|
In the Usenet newsgroup comp.security.firewalls, in article
<1129672664.244934.47600@g14g2000cwa.googlegroups.com>,
kmtanner@cyberspace.org wrote:
| Quote: | I have absolutely no idea why I'm getting these scans from China. I
have no business associates there - nor any other transactions.
|
China provides low cost hosting service to anyone with clean cash.
[compton ~]$ grep -c CN IP.ADDR/stats/[ALR]* | column
IP.ADDR/stats/AFRINIC:0 IP.ADDR/stats/LACNIC:0
IP.ADDR/stats/APNIC:899 IP.ADDR/stats/RIPE:0
IP.ADDR/stats/ARIN:0
[compton ~]$ grep CN IP.ADDR/stats/APNIC | cut -d' ' -f2 | cut -d'.'
-f1 | sort -n | uniq -c | column
39 58 1 134 1 167 72 203 13 220
28 59 1 159 1 168 70 210 58 221
30 60 1 161 4 192 35 211 63 222
71 61 1 162 1 198 46 218
20 125 1 166 315 202 27 219
[compton ~]$ grep CN IP.ADDR/stats/APNIC | grep ' 134\.'
CN 134.196.0.0 255.255.0.0 allocated
[compton ~]$
Briefly, China has 899 network assignments, all from APNIC. IP addresses
are not assigned in a "convenient' manner, but are scattered in 23 ranges
from 58.14.0.0/15 to 222.249.192.0/19.. For example, in the 202.0.0.0/8
range, there are 3506 assignments located in
[compton ~]$ grep -h ' 202\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort
-u | column
AF BN GU JP LK MV NZ PW TV WS
AP BT HK KH MN MY PF SB TW
AS CK ID KI MO NC PG SG US
AU CN IN KR MP NP PH TH VN
BD FJ IO LA MU NU PK TO VU
[compton ~]$
Note also that these country codes (from ISO3166) are where the assignment
is _registered_ and may not reflect where the actual computer is located.
| Quote: | Thanks for the Apnic site link. RIPE and ARIN don't seem to work very
well for me.
|
As noted above, there are five "Regional Internet Registries". "AFRINIC"
covers Africa, and some islands in the Indian Ocean. 'APNIC" covers
Southern Asia, from Afghanistan to Japan, and areas in the Pacific as
far East as Pitcairn Island. ARIN, covers North America, some islands
in the Atlantic and Caribbean, and legacy assignments around the world.
LACNIC covers Central and South America, and some islands in the Atlantic
and Caribbean. RIPE covers Europe, Northern Asia, some areas in Africa
that haven't been transferred to AFRINIC yet, and some islands in the
Atlantic. See http://www.iana.org/assignments/ipv4-address-space.
Old guy |
|
| Back to top |
|
|
Chris Kronberg
Guest
|
| Posted:
Sat Oct 22, 2005 4:21 pm Post subject:
Re: Port scans. What are these? |
|
|
On 2005-10-18, kmtanner@cyberspace.org <kmtanner@cyberspace.org> wrote:
| Quote: | Thanks a lot guys. I have absolutely no idea why I'm getting these
scans from China. I have no business
|
Because there are tons of cracked hosts in China being abused for
scans, spam and so on. You just happen to be in the range of a
scanning skriptkiddy. It's nothing personal.
| Quote: | associates there - nor any other transactions. Perhaps Chinese want to
get my business and make
me unemployed too. ;-)
Thanks for the Apnic site link. RIPE and ARIN don't seem to work very
well for me.
|
Of course not. RIPE is responsible for the European Network, ARIN
for the (North) American part. Both have nothing to do with Asia.
Cheers,
Chris. |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Sun Oct 23, 2005 12:47 am Post subject:
Re: Port scans. What are these? |
|
|
In the Usenet newsgroup comp.security.firewalls, in article
<3rutkbFllp8hU1@individual.net>, Chris Kronberg wrote:
| Quote: | kmtanner@cyberspace.org wrote:
I have absolutely no idea why I'm getting these scans from China.
Because there are tons of cracked hosts in China being abused for
scans, spam and so on.
|
There are also quite a number of "ISP's" run by entrepreneurs out to
make a fast buck by selling IP space to all takers without question. As
long as they don't piss off the Army (CHINANET - the major provider in
China) or the government, you'll get all kinds of crap out of Chinese
IP space.
| Quote: | You just happen to be in the range of a scanning skriptkiddy. It's
nothing personal.
|
Very true.
| Quote: | Of course not. RIPE is responsible for the European Network, ARIN
for the (North) American part. Both have nothing to do with Asia.
|
While most registrations have been transferred to the appropriate
region, there are still a number of non-local ones in ARIN:
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column
AG BB CH FI HU JP LC PL US
AI BE CZ FR IE KN LU PR VI
AR BM DE GB IL KR MX SE
AT BS DO GD IT KY NL SG
AU CA ES HK JM LB NO TR
[compton ~]$ grep -c DE ARIN.gz
24
[compton ~]$
and RIPE has quite a few outside of Europe.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/RIPE | sort -u | column
AD BH EE GL IT LU NO SE UA
AE BY EG GR JO LV OM SI UG
AL CH ES HR KE MA PL SK UK
AM CS EU HU KG MC PS SL UZ
AT CY FI IE KW MD PT SM VA
AZ CZ FO IL KZ MK QA SY YE
BA DE FR IQ LB MT RO TJ YU
BE DK GE IR LI NG RU TM
BG DZ GI IS LT NL SA TR
[compton ~]$
But then, APNIC has a few "out of area" registrations too.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/APNIC | sort -u | column
AF BT GU KH MN NC PF SG VN
AP CH HK KI MO NF PG TH VU
AS CK ID KR MP NP PH TO WS
AU CN IN LA MU NR PK TV
BD FJ IO LK MV NU PW TW
BN GB JP MM MY NZ SB US
[compton ~]$
(Source is RIR zone files dated 15 Oct, 2005)
Old guy |
|
| Back to top |
|
|
Chris Kronberg
Guest
|
| Posted:
Sun Oct 23, 2005 8:21 am Post subject:
Re: Port scans. What are these? |
|
|
On 2005-10-22, Moe Trin <ibuprofin@painkiller.example.tld> wrote:
| Quote: | In the Usenet newsgroup comp.security.firewalls, in article
3rutkbFllp8hU1@individual.net>, Chris Kronberg wrote:
Of course not. RIPE is responsible for the European Network, ARIN
for the (North) American part. Both have nothing to do with Asia.
While most registrations have been transferred to the appropriate
region, there are still a number of non-local ones in ARIN:
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column
AG BB CH FI HU JP LC PL US
AI BE CZ FR IE KN LU PR VI
AR BM DE GB IL KR MX SE
AT BS DO GD IT KY NL SG
AU CA ES HK JM LB NO TR
[compton ~]$ grep -c DE ARIN.gz
24
[compton ~]$
|
That odd, because when questioning RIPE I do get DE, FR, GB, BE, IT,
NL and PL. When asking ARIN I'm referred to RIPE. In the meanwhile
ARIN has configured its whois service in a way that they forward the
question to the appropriate whois server. At least this works for
RIPE and APNIC.
| Quote: | and RIPE has quite a few outside of Europe.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/RIPE | sort -u | column
AD BH EE GL IT LU NO SE UA
AE BY EG GR JO LV OM SI UG
AL CH ES HR KE MA PL SK UK
AM CS EU HU KG MC PS SL UZ
AT CY FI IE KW MD PT SM VA
AZ CZ FO IL KZ MK QA SY YE
BA DE FR IQ LB MT RO TJ YU
BE DK GE IR LI NG RU TM
BG DZ GI IS LT NL SA TR
[compton ~]$
|
The few which are not belonging to Europe belong to Africa. These
domains i.e. IP Ranges are currently being transferred to AFRINIC.
I don't have the feeling that this makes anything easier. From
time to time I came across IPs not belonging to anyone: ARIN says
go-to-AFRINIC, AFRINIC says not-ours. *argl*
Cheers,
Chris. |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Mon Oct 24, 2005 12:37 am Post subject:
Re: Port scans. What are these? |
|
|
In the Usenet newsgroup comp.security.firewalls, in article
<3s0te8FkppqmU1@individual.net>, Chris Kronberg wrote:
| Quote: | That odd, because when questioning RIPE I do get DE, FR, GB, BE, IT,
NL and PL. When asking ARIN I'm referred to RIPE.
|
[compton ~]$ grep -c DE RIPE
1616
[compton ~]$ grep DE ARIN | cut -d' ' -f3 | sort | uniq -c | column
1 1280 1 255.255.248.0 2 768
1 255.0.0.0 4 255.255.254.0
1 255.254.0.0 14 255.255.255.0
[compton ~]$
(1280 is 5 x 256, while 768 is 3 x 256 - the wonders of CIDR.)
Those 24 blocks in Germany at ARIN are probably early registrations that
haven't been transferred to RIPE yet. The same is mostly true with the
others - but note that ARIN (24) and APNIC (1) use GB and have no UK,
while RIPE uses UK (1720) and has no GB.
| Quote: | In the meanwhile ARIN has configured its whois service in a way that
they forward the question to the appropriate whois server. At least
this works for RIPE and APNIC.
|
Haven't noticed that.
| Quote: | The few which are not belonging to Europe belong to Africa. These
domains i.e. IP Ranges are currently being transferred to AFRINIC.
I don't have the feeling that this makes anything easier.
|
Originally, there was only ARIN - RIPE, and APNIC were formed later, LACNIC
later still, and AFRINIC only in April of this year. I do see a lot of the
"out of region" registrations being transferred from one RIR to another, but
there still are some that may be appropriate in a non-local one. For example,
there are five US registrations in APNIC - one is a satellite service for
ships (presumably in the Pacific), two are overseas services of US companies
(Akmai and eBay), one is a US division of an Asian company, and one is a
US Military facility in the Pacific (no idea why it's not ARIN).
| Quote: | From time to time I came across IPs not belonging to anyone: ARIN says
go-to-AFRINIC, AFRINIC says not-ours. *argl*
|
Oh yeah, I see that one with some frequency. Often, this is a mixup
between the whois database and the allocation blocks. Drives me nuts too.
If it's important, each of the RIRs has contact data that can let you
reach a person - may not be very smart, but might have an explanation,
or be able to initiate a fix. It worked when AFRINIC was announcing that
10.0.1.144 belonged to .na for a couple of weeks.
Old guy |
|
| Back to top |
|
|
Blake McNeill
Guest
|
| Posted:
Mon Nov 21, 2005 4:31 pm Post subject:
Re: Port scans. What are these? |
|
|
Based on the information you have provided and my experience, I'm guessing
that you are seeing traffic from these IPs on UDP ports 1026/1027/etc, in
which case it would very likely be messenger spam. See
http://www.linklogger.com/UDP1026.htm for more information.
Blake |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in