Considering he is a Mediaone (at&t) customer - thats probably not the best solution for him. I did a little digging and here is what I can tell you...
IIRC anything at mediaone.com was corporate. Anything at mediaone.net was customer. The scans you see for 27020 and 27021 are probably someone on your segment trying to find a Counter-Strike game in LAN mode. Thus the broadcast. For the other... this may be a likely candidate: http://www.google.com/search?q=cache:IHNzl6hLAXw:forum.4drulers.com/showthre ad.php%3Fthreadid%3D634+%22port+10061%22&hl=en Also looking for a LAN based game would be my guess. I'd rank this very benign. > -----Original Message----- > From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] > Sent: Sunday, December 09, 2001 6:04 PM > To: Security-Basics List > Subject: Re: Mediaone/AT&T broadband port scans > > > -----BEGIN PGP SIGNED MESSAGE----- > > On Fri, 7 Dec 2001, Kevin Lisciotti wrote: > > > Since I can't get anywhere with the AT&T broadband abuse and legal > > department, I figured I run this by the group. For the past 3-4 months I > > have been repeatedly port scanned by the following 2 ip addresses > > 66.30.136.77 and 66.30.136.236 at least 10-20 times a day. > > My stance is a little more unforgiving than others are willing to > follow, but when I get a series of repeat scans from a specific IP range > and the provider doesn't do jack about it within a week's time, I > blackhole that IP range using either IPchains or IPFilter. Everything > coming from them gets dropped in the bitbucket. > > I'd suggest you do as much with these monkeys. Their provider > isn't doing jack, and you've given them ample time to address the issue. > Even if it is the "legitimate" security crew, their conduct and the > general cluelessness of AT&T is inexcusable. > > - -Jay > > ( ( _______ > )) )) .-"There's always time for a good cup of coffee"-. > >====<--. > C|~~|C|~~| (>----- Jay D. Dyson -- [EMAIL PROTECTED] -----<) > | = |-' > `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iQCVAwUBPBPf3blDRyqRQ2a9AQF0LwP/VMy7r+KqB5fsMYmACARvlI+RHDEc17Lk > R6NqPBi5cm2P9tlVxrpk4FsG4spB8SjIgdA/jLz3E+W+VCv6F+U0ERP2zwIeuJL+ > E86Xc90eKwNzJGeCFr4PMslBkMmZZojRMBZDzQ2YGFcZ9Nnq/0NtbQ4Hy8QXDk5n > IQgezr51NWM= > =ppNv > -----END PGP SIGNATURE----- >
