In-Reply-To: <[EMAIL PROTECTED]>
The IP addresses that you listed show up as the following;
Network Information for 66.230.230.115
Neucom, Inc. NEUCOM (NET-66-230-192-0-1)
66.230.192.0 - 66.230.239.255
NetTuner Corporation (Webmasters.com) WEBMASTERS-20031402 (NET-66-230-230-
0-1)
66.230.230.0 - 66.230.230.255
# ARIN WHOIS database, last updated 2003-06-29 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
Network Information for 192.168.254.156
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16
OrgTechHandle: IANA-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-823-9358
OrgTechEmail: [EMAIL PROTECTED]
# ARIN WHOIS database, last updated 2003-06-29 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
As to the port scan, make sure that all possiblie services are shut down,
and then run netstat -a at a dos prompt to see if those same services are
still running. XP is know to have services running in the middle too
upper end for ports.
Hope this information helps you.
Rich
>
>I've been getting port scans from the same IP address for 3 days. It is
>not scanning continuously but will usually scan me every 2 hours for a
few
>hours. When I do a whois on the address it doesn't give much
information
>on who to contact about abuse. I'm thinking that the computer scanning
me
>has been compromised and is looking for other computers to infect. The
>source port is random but the local port is not. It scans to see if
ports
>1075, 3128, 4588, 6588, and 8080 are open. I ran retina against the
>machine and its running a default install of Apache without much
anything
>configured. The Sequence # of the packets are always 666666 and all
have
>the SYN flag set. Does anybody know of any worms or Trojans that scan
for
>these ports and have these features? Also, if whois doesn't give much
>information how can I find out who to contact about this? I've attached
>some of the packets that I've captured, along with the whois
>information. Any help is appreciated.
>
>TIA
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
