Sign in with
Sign up | Sign in
Your question

Port Scan and different IP addresses

Last response: in Networking
Share
Anonymous
June 13, 2004 5:02:16 PM

Archived from groups: comp.security.firewalls (More info?)

Hello,

Three days ago, my computer got scanned during half an hour. ZA did
perfectly its job.
The day after, it got again. I switched the modem off in order to obtain
another IP address and it stopped being scanned (of course !).

I made a Traceroute and a Whois on the IP address. Both pointed to
www.handango.com.
Discussing about the question with another client of my network, I
discovered that, both at the same time, he connected to handango.

With the new IP address I got, I connected in turn my computer on their
site, 15 mn later or so, I got scanned again. The answer is obvious and I
sent an abuse with the results of my scans.

But, I was a bit bothered by something vague I wasn't able to clarify. I
typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
I landed on another site: "EqualizerTM Traffic Management Appliance" without
any relation with handango.

Now I'm puzzled because of this difference I can't understand.
Obviously I was scanned by someone at Handango but their IP address is the
same as another one Whois.com don't point to.

Can somebody explain ?
Regards

More about : port scan addresses

June 13, 2004 5:02:17 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Aldo -

On Sun, 13 Jun 2004 13:02:16 +0200, "Aldo Larrabiata"
<zzz@zorglub.net> wrote:

>But, I was a bit bothered by something vague I wasn't able to clarify. I
>typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
>I landed on another site: "EqualizerTM Traffic Management Appliance" without
>any relation with handango.

Using named virtual hosts, many websites can be hosted on the same IP
address. The specific host being accessed is passed as part of the
HTTP headers so the webserver software knows which site's pages to
serve up.

When you requested http://64.143.96.133, 64.143.96.133 was passed as
the host name. It is unlikely that the IP address is defined as a
host name. What happens when the host name is missing or undefined is
dependent on the specific webserver software. In the case of Apache,
which is what I use, the first virtual host defined will be used.

Because of this, and because most attacks are directed against an IP
address without a valid host name, my first virtual host is a dummy
site. You can see this if you go to the site listed in my signature
by the site name as given, then access it by the IP address associated
with that host name.

--
Ken
http://www.ke9nr.net/
Anonymous
June 14, 2004 6:32:12 AM

Archived from groups: comp.security.firewalls (More info?)

Aldo Larrabiata wrote:
> Hello,
>
> Three days ago, my computer got scanned during half an hour. ZA did
> perfectly its job.
> The day after, it got again. I switched the modem off in order to obtain
> another IP address and it stopped being scanned (of course !).
>
> I made a Traceroute and a Whois on the IP address. Both pointed to
> www.handango.com.
> Discussing about the question with another client of my network, I
> discovered that, both at the same time, he connected to handango.
>
> With the new IP address I got, I connected in turn my computer on their
> site, 15 mn later or so, I got scanned again. The answer is obvious and I
> sent an abuse with the results of my scans.
>
> But, I was a bit bothered by something vague I wasn't able to clarify. I
> typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
> I landed on another site: "EqualizerTM Traffic Management Appliance" without
> any relation with handango.
>
> Now I'm puzzled because of this difference I can't understand.
> Obviously I was scanned by someone at Handango but their IP address is the
> same as another one Whois.com don't point to.
>
> Can somebody explain ?
> Regards
>
>
There is a feature in "nmap" which allows you to specify "decoy" ip
addresses when you scan a computer or a range of computers (networks).

The other possibility is that the scan is conducted from a zombie ip
address, looking into whois database and routing information should
determine if that ip belongs to a company or DSL/ISP, etc. You need to
match that with DNS to get a good handle.

scanning is not a terribly bad thing, Mostly it happens due to script
kiddies learn that they can run a shell script and droll over the info
scrolling up their screens, mostly clueless tho.
If your systems are secured properly, you need not worry ;-).

Regards,
Patrick Soltani.
Related resources
Anonymous
June 15, 2004 3:29:28 AM

Archived from groups: comp.security.firewalls (More info?)

"patricksoltani" <patricksoltani@sbcglobal.net> a écrit dans le message
news: 40CD0E37.7020701@sbcglobal.net...
> Aldo Larrabiata wrote:
> > Hello,
> >
> > Three days ago, my computer got scanned during half an hour. ZA did
> > perfectly its job.
> > The day after, it got again. I switched the modem off in order to obtain
> > another IP address and it stopped being scanned (of course !).
> >
> > I made a Traceroute and a Whois on the IP address. Both pointed to
> > www.handango.com.
> > Discussing about the question with another client of my network, I
> > discovered that, both at the same time, he connected to handango.
> >
> > With the new IP address I got, I connected in turn my computer on their
> > site, 15 mn later or so, I got scanned again. The answer is obvious and
I
> > sent an abuse with the results of my scans.
> >
> > But, I was a bit bothered by something vague I wasn't able to clarify. I
> > typed the IP address "http://64.143.96.133" in IE, instead of the usual
URL.
> > I landed on another site: "EqualizerTM Traffic Management Appliance"
without
> > any relation with handango.
> >
> > Now I'm puzzled because of this difference I can't understand.
> > Obviously I was scanned by someone at Handango but their IP address is
the
> > same as another one Whois.com don't point to.
> >
> > Can somebody explain ?
> > Regards
> >
> >
> There is a feature in "nmap" which allows you to specify "decoy" ip
> addresses when you scan a computer or a range of computers (networks).
>
> The other possibility is that the scan is conducted from a zombie ip
> address, looking into whois database and routing information should
> determine if that ip belongs to a company or DSL/ISP, etc. You need to
> match that with DNS to get a good handle.
>
> scanning is not a terribly bad thing, Mostly it happens due to script
> kiddies learn that they can run a shell script and droll over the info
> scrolling up their screens, mostly clueless tho.
> If your systems are secured properly, you need not worry ;-).
>
> Regards,
> Patrick Soltani.
>
>
Sorry I'm not a network specialist and don't understand.
Shall I make a query with 64.143.96.133, Whois returns handango.com
in fact a whole range of IP addresses are reserved to handango.
Shall I type http://64.143.96.133 in the address bar I get a completely
different page pointing to Coyotte Point Systems Inc.
Only two addresses point to this site http://64.143.96.132 &
http://64.143.96.133

Normally I should go to the same site, no ?
Thanks
Anonymous
June 16, 2004 1:51:58 PM

Archived from groups: comp.security.firewalls (More info?)

Aldo Larrabiata wrote:

> "patricksoltani" <patricksoltani@sbcglobal.net> a écrit dans le message
> news: 40CD0E37.7020701@sbcglobal.net...
>
>>Aldo Larrabiata wrote:
>>
>>>Hello,
>>>
>>>Three days ago, my computer got scanned during half an hour. ZA did
>>>perfectly its job.
>>>The day after, it got again. I switched the modem off in order to obtain
>>>another IP address and it stopped being scanned (of course !).
>>>
>>>I made a Traceroute and a Whois on the IP address. Both pointed to
>>>www.handango.com.
>>>Discussing about the question with another client of my network, I
>>>discovered that, both at the same time, he connected to handango.
>>>
>>>With the new IP address I got, I connected in turn my computer on their
>>>site, 15 mn later or so, I got scanned again. The answer is obvious and
>
> I
>
>>>sent an abuse with the results of my scans.
>>>
>>>But, I was a bit bothered by something vague I wasn't able to clarify. I
>>>typed the IP address "http://64.143.96.133" in IE, instead of the usual
>
> URL.
>
>>>I landed on another site: "EqualizerTM Traffic Management Appliance"
>
> without
>
>>>any relation with handango.
>>>
>>>Now I'm puzzled because of this difference I can't understand.
>>>Obviously I was scanned by someone at Handango but their IP address is
>
> the
>
>>>same as another one Whois.com don't point to.
>>>
>>>Can somebody explain ?
>>>Regards
>>>
>>>
>>
>>There is a feature in "nmap" which allows you to specify "decoy" ip
>>addresses when you scan a computer or a range of computers (networks).
>>
>>The other possibility is that the scan is conducted from a zombie ip
>>address, looking into whois database and routing information should
>>determine if that ip belongs to a company or DSL/ISP, etc. You need to
>>match that with DNS to get a good handle.
>>
>>scanning is not a terribly bad thing, Mostly it happens due to script
>>kiddies learn that they can run a shell script and droll over the info
>>scrolling up their screens, mostly clueless tho.
>>If your systems are secured properly, you need not worry ;-).
>>
>>Regards,
>>Patrick Soltani.
>>
>>
>
> Sorry I'm not a network specialist and don't understand.
> Shall I make a query with 64.143.96.133, Whois returns handango.com
> in fact a whole range of IP addresses are reserved to handango.
> Shall I type http://64.143.96.133 in the address bar I get a completely
> different page pointing to Coyotte Point Systems Inc.
> Only two addresses point to this site http://64.143.96.132 &
> http://64.143.96.133
>
> Normally I should go to the same site, no ?
> Thanks
>
>
>
>
#whois -a 64.143.96.133
SBC E-Services - Dallas IDC SBCIDC-DAL-2BLK (NET-64-143-0-0-1)
64.143.0.0 - 64.143.223.255
Handango SBC064143096128030228 (NET-64-143-96-128-1)
64.143.96.128 - 64.143.96.255

# ARIN WHOIS database, last updated 2004-06-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

SBC owns the ip block
The Handango has /25 ip addresses:


#dig -x 64.143.96.136

; <<>> DiG 8.3 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45857
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 2, ADDITIONAL: 1
;; QUERY SECTION:
;; 136.96.143.64.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
136.96.143.64.in-addr.arpa. 15M IN PTR handngo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR handengo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR palmshop.handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR handandgo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR au.handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR es.handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR fr.handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.handago.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.handngo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.handango.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.handengo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.handandgo.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.acmecarrier.com.
136.96.143.64.in-addr.arpa. 15M IN PTR www.palmcentral.com.

;; AUTHORITY SECTION:
96.143.64.in-addr.arpa. 23h59m49s IN NS ns2.sbcidc.com.
96.143.64.in-addr.arpa. 23h59m49s IN NS ns1.sbcidc.com.

;; ADDITIONAL SECTION:
ns2.sbcidc.com. 1d23h59m49s IN A 216.65.209.34

So they got a lot of names going into the same servers.

If you do a traceroute you'll see that route ends at handango. So you
are getting to the right place. The web server can serve any virtual
page. What's important is that the service is served out of that ip
address.

#traceroute 64.143.96.133
1 ...SNIPPED
2 ...SNIPPED
3 bb1-g8-3-0.snfc21.pbi.net (209.232.130.82) 8.186 ms 9.723 ms 9.811 ms
4 core1-p14-1.crsfca.sbcglobal.net (151.164.242.65) 9.247 ms 9.590
ms 8.763 ms
5 core1-p3-0.crskut.sbcglobal.net (151.164.243.237) 22.409 ms
23.251 ms 22.604 ms
6 core1-p11-0.crdnco.sbcglobal.net (151.164.243.246) 32.749 ms
33.076 ms 32.543 ms
7 core2-p1-0.crdnco.sbcglobal.net (151.164.243.210) 33.006 ms
32.726 ms 32.456 ms
8 core1-p3-0.crdltx.sbcglobal.net (151.164.240.125) 55.255 ms
56.518 ms 55.892 ms
9 core2-p9-0.crdltx.sbcglobal.net (151.164.242.110) 56.169 ms
55.403 ms 55.461 ms
10 bb1-p11-1.dllstx.sbcglobal.net (151.164.240.89) 56.899 ms 57.223
ms 55.558 ms
11 ded1-g1-2.dllstx.sbcglobal.net (151.164.40.66) 55.859 ms 56.107 ms
55.835 ms
12 core1-z-g1-1.dal.sbcidc.com (216.65.192.6) 55.850 ms 57.088 ms
57.382 ms
13 acs2-a-g1-1.dal.sbcidc.com (216.65.192.102) 56.057 ms 56.531 ms
56.018 ms
14 cpsbc2.handango.com (64.143.96.133) 57.809 ms 57.867 ms 56.437 ms


Regards,
Patrick Soltani
!