ADSL USER DOING PORT PROBES...

J

jgoosen

Well-Known Member
Joined
Aug 8, 2003
Messages
147
Reaction score
0
Location
South Africa.
Time, Event, Intruder, Count
08/18/2003 08:59:48 PM, UDP port probe, rrba-bras-196-122.telkom-ipnet.co.za, 7

IP: 165.165.196.122
Node: TREVOR
Group: LMI
NetBIOS: LMI
MAC: 444553547777
DNS: rrba-bras-196-122.telkom-ipnet.co.za

08/18/2003 08:53:59 PM, MSRPC TCP port probe, BILLH, 1
IP: 165.165.198.189
DNS: rrba-bras-198-189.telkom-ipnet.co.za
Node: BILLH
Group: FOCUS
NetBIOS: BILL HASKINS
MAC: 444553547777


Yes i wonder..............................
Any one got comments on this
 
"MSRPC TCP port probe" - Perhaps a user who is infected with blaster?

Not sure about the UDP ports though.
 
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by jgoosen</i>
<br />Time, Event, Intruder, Count
08/18/2003 08:59:48 PM, UDP port probe, rrba-bras-196-122.telkom-ipnet.co.za, 7

IP: 165.165.196.122
Node: TREVOR
Group: LMI
NetBIOS: LMI
MAC: 444553547777
DNS: rrba-bras-196-122.telkom-ipnet.co.za


Well have list of 25 Adsl users doing TCP probes all windows 2000 and xp thought ...You might be right

08/18/2003 08:53:59 PM, MSRPC TCP port probe, BILLH, 1
IP: 165.165.198.189
DNS: rrba-bras-198-189.telkom-ipnet.co.za
Node: BILLH
Group: FOCUS
NetBIOS: BILL HASKINS
MAC: 444553547777


Yes i wonder..............................
Any one got comments on this

<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
 
This is interesting. Checked my logs.
A very unusual number of ICMP scans have been running all day already. Never seen them bunched like that. All from 165.165. addresses, but stragely from different ones. Here's an extract.

FWIN,2003/08/19,21:06:04 +2:00 GMT,165.165.136.205:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:06:54 +2:00 GMT,165.165.132.223:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:07:00 +2:00 GMT,165.165.16.122:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:11:16 +2:00 GMT,165.165.199.12:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:13:50 +2:00 GMT,165.165.200.147:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:15:22 +2:00 GMT,165.165.193.66:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:15:58 +2:00 GMT,165.165.130.190:0,165.165.129.39:0,ICMP (type:8/subtype:0)
FWIN,2003/08/19,21:16:54 +2:00 GMT,165.166.36.171:0,165.165.129.39:0,ICMP (type:8/subtype:0)

Like I see, this has been going on all day already.
If they were all from the same address, I'd shrug it off as some clown trying his luck. But the source addresses are all different. What does that mean?
 
I have not much knowledge about what you are doing here....

But is it possible that Telkom is sending info to and from our modems to make us reach the cap faster?

I would not put it beyond them.
 
Well its unusaul to get 45Users a day doig Port probes ...It might be the Blaster worm...But ghees are there so many stupid adsl users out there?Not on myADSL atleast.....Or it might be people trying thier luck......or even telkom.....................???
 
Could be MSBlaster Worm, Nimda, CodeRed etc etc. There are quite a few viruses that scan networks and try to infect unsecured computers. We had Nimda almost totally saturating the bandwidth on a 100 Mb network at a computer gaming competition three years ago - anyone remember Worfaire 2001?
 
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by bullstein</i>
<br />I have not much knowledge about what you are doing here....

But is it possible that Telkom is sending info to and from our modems to make us reach the cap faster?

I would not put it beyond them.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
We're not doing anything - we're observing others possibly trying to do something to us.[B)]

With regards to your remark: I assume you were joking? Telkom may be suspected of many things, but I don't think that's one of them.
 
well, judging from my logs ... for each attempted connection on port 135 I have a related PING CyberKit 2.2. This would explain all your pings as it seems the ADSL network is badly infected by the blaster worm - getting plenty probes on port 135 ( assuming this to be blaster ) and it's getting progressively worse.

Damn, I just wish users would practice better computing habits and secure their pc's!
 
Yes well it either a virus.....Or people trying to steel bandwith etc. But its scary how many ther are of the...ITS 12:44PM now Been connected 3Hours Dah 49hits of port probes etc from adsl users...just does not seem normal
 
My apologies to paf and Telkom.

I did not consider the fact that they might not have technicians qualified enough to do that anyway (lol).

Yeah i actually was just kidding. These people are mostly other adsl users trying to steal line i think.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X