Re: Port Scan and different IP addresses

From: patricksoltani (patricksoltani_at_sbcglobal.net)
Date: 06/14/04


Date: Mon, 14 Jun 2004 02:32:12 GMT

Aldo Larrabiata wrote:
> Hello,
>
> Three days ago, my computer got scanned during half an hour. ZA did
> perfectly its job.
> The day after, it got again. I switched the modem off in order to obtain
> another IP address and it stopped being scanned (of course !).
>
> I made a Traceroute and a Whois on the IP address. Both pointed to
> www.handango.com.
> Discussing about the question with another client of my network, I
> discovered that, both at the same time, he connected to handango.
>
> With the new IP address I got, I connected in turn my computer on their
> site, 15 mn later or so, I got scanned again. The answer is obvious and I
> sent an abuse with the results of my scans.
>
> But, I was a bit bothered by something vague I wasn't able to clarify. I
> typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
> I landed on another site: "EqualizerTM Traffic Management Appliance" without
> any relation with handango.
>
> Now I'm puzzled because of this difference I can't understand.
> Obviously I was scanned by someone at Handango but their IP address is the
> same as another one Whois.com don't point to.
>
> Can somebody explain ?
> Regards
>
>
There is a feature in "nmap" which allows you to specify "decoy" ip
addresses when you scan a computer or a range of computers (networks).

The other possibility is that the scan is conducted from a zombie ip
address, looking into whois database and routing information should
determine if that ip belongs to a company or DSL/ISP, etc. You need to
match that with DNS to get a good handle.

scanning is not a terribly bad thing, Mostly it happens due to script
kiddies learn that they can run a shell script and droll over the info
scrolling up their screens, mostly clueless tho.
If your systems are secured properly, you need not worry ;-).

Regards,
Patrick Soltani.