Re: Port Scan and different IP addresses

From: patricksoltani (patricksoltani_at_sbcglobal.net)
Date: 06/14/04


Date: Mon, 14 Jun 2004 02:32:12 GMT

Aldo Larrabiata wrote:
> Hello,
>
> Three days ago, my computer got scanned during half an hour. ZA did
> perfectly its job.
> The day after, it got again. I switched the modem off in order to obtain
> another IP address and it stopped being scanned (of course !).
>
> I made a Traceroute and a Whois on the IP address. Both pointed to
> www.handango.com.
> Discussing about the question with another client of my network, I
> discovered that, both at the same time, he connected to handango.
>
> With the new IP address I got, I connected in turn my computer on their
> site, 15 mn later or so, I got scanned again. The answer is obvious and I
> sent an abuse with the results of my scans.
>
> But, I was a bit bothered by something vague I wasn't able to clarify. I
> typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
> I landed on another site: "EqualizerTM Traffic Management Appliance" without
> any relation with handango.
>
> Now I'm puzzled because of this difference I can't understand.
> Obviously I was scanned by someone at Handango but their IP address is the
> same as another one Whois.com don't point to.
>
> Can somebody explain ?
> Regards
>
>
There is a feature in "nmap" which allows you to specify "decoy" ip
addresses when you scan a computer or a range of computers (networks).

The other possibility is that the scan is conducted from a zombie ip
address, looking into whois database and routing information should
determine if that ip belongs to a company or DSL/ISP, etc. You need to
match that with DNS to get a good handle.

scanning is not a terribly bad thing, Mostly it happens due to script
kiddies learn that they can run a shell script and droll over the info
scrolling up their screens, mostly clueless tho.
If your systems are secured properly, you need not worry ;-).

Regards,
Patrick Soltani.



Relevant Pages

  • Re: Port Scan and different IP addresses
    ... >> I made a Traceroute and a Whois on the IP address. ... >> discovered that, both at the same time, he connected to handango. ... > kiddies learn that they can run a shell script and droll over the info ... Sorry I'm not a network specialist and don't understand. ...
    (comp.security.firewalls)
  • Port Scan and different IP addresses
    ... I switched the modem off in order to obtain ... Discussing about the question with another client of my network, ... discovered that, both at the same time, he connected to handango. ...
    (comp.security.firewalls)
  • Re: PTvncGPRS
    ... try this (watch for word wrap) ... Regards ... > Can you give me a URL or are you speaking of version 1? ...
    (microsoft.public.pocketpc.phone_edition)
  • Re: PTvncGPRS
    ... try this (watch for word wrap) ... Regards ... > Can you give me a URL or are you speaking of version 1? ...
    (microsoft.public.pocketpc)
  • Re: PTvncGPRS
    ... Mitch ...
    (microsoft.public.pocketpc.phone_edition)