Port scans from 220.233.2.208

Malware detection, cleaning and prevention
Post Reply
User avatar
Mort
Posts: 391
Joined: Sun Jan 23, 2005 3:04 pm
Location: Sydney
Contact:

Port scans from 220.233.2.208

Post by Mort » Mon May 19, 2014 1:07 pm

I'm seeing a lot of bad connection attempts coming from 220.233.2.208. Looking at the ports it would appear to be a full port scan is happening.

Is this an Exetel customer IP or some internal Exetel system? It just resolves as a "static" address, so I suspect a customer machine.
As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.

User avatar
KavindaS
Forum Admin
Posts: 2268
Joined: Wed Dec 23, 2009 3:59 pm
Location: Sydney

Re: Port scans from 220.233.2.208

Post by KavindaS » Mon May 19, 2014 2:46 pm

Mort wrote:I'm seeing a lot of bad connection attempts coming from 220.233.2.208. Looking at the ports it would appear to be a full port scan is happening.

Is this an Exetel customer IP or some internal Exetel system? It just resolves as a "static" address, so I suspect a customer machine.
Yes the IP is belongs to one of our Servers. However it doesn't involve with any port scanning.

It seems someone has masked the IP(220.233.2.208).

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Port scans from 220.233.2.208

Post by Dazzled » Mon May 19, 2014 4:56 pm

Spoofing the sender's IP when port scanning is trivial using some of the Linux networking tools. Since it is repeated the sender is probably checking the returned packet from the router for a particular distinctive behaviour of Windows. If he hasn't spoofed some other fields we might be able to see what tool/OS he is using. If he is running a skilled idle scan you won't find him.

Almost all of the probes I get every few minutes all day and night are trying to find an active Windows box behind the router, so that some further probe or attack can follow. The rest seem to be looking for a poorly secured remote login, then move on.

All you can do now is keep your router and computer secure. Most routers by default will not reply to a probe on a closed port.

User avatar
Mort
Posts: 391
Joined: Sun Jan 23, 2005 3:04 pm
Location: Sydney
Contact:

Re: Port scans from 220.233.2.208

Post by Mort » Mon May 19, 2014 5:05 pm

I'm not worried about them getting in, I'm running enterprise-grade kit at home (no, I'm not complacent about that). I thought it might have finished when it got to the end of the 65k ports, but it appears to have cycled around and started again.

Normally I wouldn't care or even notice, but I just happened to be testing some new stuff and was watching the live logs to see if it was doing the right thing when I noticed this. The firewall picked it up as a port scan attempt a long time ago and added it to the automatic drop list, but the attempts are still coming in. Thanks goodness Exetel doesn't meter uploads.

I just figured Exetel might have been interested given it was from an "Exetel" range.
As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.

Post Reply