Re: Port Scan and different IP addresses
From: patricksoltani (patricksoltani_at_sbcglobal.net)
Date: Mon, 14 Jun 2004 02:32:12 GMT
Aldo Larrabiata wrote:
> Three days ago, my computer got scanned during half an hour. ZA did
> perfectly its job.
> The day after, it got again. I switched the modem off in order to obtain
> another IP address and it stopped being scanned (of course !).
> I made a Traceroute and a Whois on the IP address. Both pointed to
> Discussing about the question with another client of my network, I
> discovered that, both at the same time, he connected to handango.
> With the new IP address I got, I connected in turn my computer on their
> site, 15 mn later or so, I got scanned again. The answer is obvious and I
> sent an abuse with the results of my scans.
> But, I was a bit bothered by something vague I wasn't able to clarify. I
> typed the IP address "http://126.96.36.199" in IE, instead of the usual URL.
> I landed on another site: "EqualizerTM Traffic Management Appliance" without
> any relation with handango.
> Now I'm puzzled because of this difference I can't understand.
> Obviously I was scanned by someone at Handango but their IP address is the
> same as another one Whois.com don't point to.
> Can somebody explain ?
There is a feature in "nmap" which allows you to specify "decoy" ip
addresses when you scan a computer or a range of computers (networks).
The other possibility is that the scan is conducted from a zombie ip
address, looking into whois database and routing information should
determine if that ip belongs to a company or DSL/ISP, etc. You need to
match that with DNS to get a good handle.
scanning is not a terribly bad thing, Mostly it happens due to script
kiddies learn that they can run a shell script and droll over the info
scrolling up their screens, mostly clueless tho.
If your systems are secured properly, you need not worry ;-).