Page 1 of 1

Port scans from 220.233.2.208

Posted: Mon May 19, 2014 1:07 pm
by Mort
I'm seeing a lot of bad connection attempts coming from 220.233.2.208. Looking at the ports it would appear to be a full port scan is happening.

Is this an Exetel customer IP or some internal Exetel system? It just resolves as a "static" address, so I suspect a customer machine.

Re: Port scans from 220.233.2.208

Posted: Mon May 19, 2014 2:46 pm
by KavindaS
Mort wrote:I'm seeing a lot of bad connection attempts coming from 220.233.2.208. Looking at the ports it would appear to be a full port scan is happening.

Is this an Exetel customer IP or some internal Exetel system? It just resolves as a "static" address, so I suspect a customer machine.
Yes the IP is belongs to one of our Servers. However it doesn't involve with any port scanning.

It seems someone has masked the IP(220.233.2.208).

Re: Port scans from 220.233.2.208

Posted: Mon May 19, 2014 4:56 pm
by Dazzled
Spoofing the sender's IP when port scanning is trivial using some of the Linux networking tools. Since it is repeated the sender is probably checking the returned packet from the router for a particular distinctive behaviour of Windows. If he hasn't spoofed some other fields we might be able to see what tool/OS he is using. If he is running a skilled idle scan you won't find him.

Almost all of the probes I get every few minutes all day and night are trying to find an active Windows box behind the router, so that some further probe or attack can follow. The rest seem to be looking for a poorly secured remote login, then move on.

All you can do now is keep your router and computer secure. Most routers by default will not reply to a probe on a closed port.

Re: Port scans from 220.233.2.208

Posted: Mon May 19, 2014 5:05 pm
by Mort
I'm not worried about them getting in, I'm running enterprise-grade kit at home (no, I'm not complacent about that). I thought it might have finished when it got to the end of the 65k ports, but it appears to have cycled around and started again.

Normally I wouldn't care or even notice, but I just happened to be testing some new stuff and was watching the live logs to see if it was doing the right thing when I noticed this. The firewall picked it up as a port scan attempt a long time ago and added it to the automatic drop list, but the attempts are still coming in. Thanks goodness Exetel doesn't meter uploads.

I just figured Exetel might have been interested given it was from an "Exetel" range.