Port Scan and different IP addresses

Archived from groups: comp.security.firewalls (More info?)

Hello,

Three days ago, my computer got scanned during half an hour. ZA did
perfectly its job.
The day after, it got again. I switched the modem off in order to obtain
another IP address and it stopped being scanned (of course !).

I made a Traceroute and a Whois on the IP address. Both pointed to
www.handango.com.
Discussing about the question with another client of my network, I
discovered that, both at the same time, he connected to handango.

With the new IP address I got, I connected in turn my computer on their
site, 15 mn later or so, I got scanned again. The answer is obvious and I
sent an abuse with the results of my scans.

But, I was a bit bothered by something vague I wasn't able to clarify. I
typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
I landed on another site: "EqualizerTM Traffic Management Appliance" without
any relation with handango.

Now I'm puzzled because of this difference I can't understand.
Obviously I was scanned by someone at Handango but their IP address is the
same as another one Whois.com don't point to.

Can somebody explain ?
Regards
4 answers Last reply
More about port scan addresses
  1. Archived from groups: comp.security.firewalls (More info?)

    Hi Aldo -

    On Sun, 13 Jun 2004 13:02:16 +0200, "Aldo Larrabiata"
    <zzz@zorglub.net> wrote:

    >But, I was a bit bothered by something vague I wasn't able to clarify. I
    >typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
    >I landed on another site: "EqualizerTM Traffic Management Appliance" without
    >any relation with handango.

    Using named virtual hosts, many websites can be hosted on the same IP
    address. The specific host being accessed is passed as part of the
    HTTP headers so the webserver software knows which site's pages to
    serve up.

    When you requested http://64.143.96.133, 64.143.96.133 was passed as
    the host name. It is unlikely that the IP address is defined as a
    host name. What happens when the host name is missing or undefined is
    dependent on the specific webserver software. In the case of Apache,
    which is what I use, the first virtual host defined will be used.

    Because of this, and because most attacks are directed against an IP
    address without a valid host name, my first virtual host is a dummy
    site. You can see this if you go to the site listed in my signature
    by the site name as given, then access it by the IP address associated
    with that host name.

    --
    Ken
    http://www.ke9nr.net/
  2. Archived from groups: comp.security.firewalls (More info?)

    Aldo Larrabiata wrote:
    > Hello,
    >
    > Three days ago, my computer got scanned during half an hour. ZA did
    > perfectly its job.
    > The day after, it got again. I switched the modem off in order to obtain
    > another IP address and it stopped being scanned (of course !).
    >
    > I made a Traceroute and a Whois on the IP address. Both pointed to
    > www.handango.com.
    > Discussing about the question with another client of my network, I
    > discovered that, both at the same time, he connected to handango.
    >
    > With the new IP address I got, I connected in turn my computer on their
    > site, 15 mn later or so, I got scanned again. The answer is obvious and I
    > sent an abuse with the results of my scans.
    >
    > But, I was a bit bothered by something vague I wasn't able to clarify. I
    > typed the IP address "http://64.143.96.133" in IE, instead of the usual URL.
    > I landed on another site: "EqualizerTM Traffic Management Appliance" without
    > any relation with handango.
    >
    > Now I'm puzzled because of this difference I can't understand.
    > Obviously I was scanned by someone at Handango but their IP address is the
    > same as another one Whois.com don't point to.
    >
    > Can somebody explain ?
    > Regards
    >
    >
    There is a feature in "nmap" which allows you to specify "decoy" ip
    addresses when you scan a computer or a range of computers (networks).

    The other possibility is that the scan is conducted from a zombie ip
    address, looking into whois database and routing information should
    determine if that ip belongs to a company or DSL/ISP, etc. You need to
    match that with DNS to get a good handle.

    scanning is not a terribly bad thing, Mostly it happens due to script
    kiddies learn that they can run a shell script and droll over the info
    scrolling up their screens, mostly clueless tho.
    If your systems are secured properly, you need not worry ;-).

    Regards,
    Patrick Soltani.
  3. Archived from groups: comp.security.firewalls (More info?)

    "patricksoltani" <patricksoltani@sbcglobal.net> a écrit dans le message
    news: 40CD0E37.7020701@sbcglobal.net...
    > Aldo Larrabiata wrote:
    > > Hello,
    > >
    > > Three days ago, my computer got scanned during half an hour. ZA did
    > > perfectly its job.
    > > The day after, it got again. I switched the modem off in order to obtain
    > > another IP address and it stopped being scanned (of course !).
    > >
    > > I made a Traceroute and a Whois on the IP address. Both pointed to
    > > www.handango.com.
    > > Discussing about the question with another client of my network, I
    > > discovered that, both at the same time, he connected to handango.
    > >
    > > With the new IP address I got, I connected in turn my computer on their
    > > site, 15 mn later or so, I got scanned again. The answer is obvious and
    I
    > > sent an abuse with the results of my scans.
    > >
    > > But, I was a bit bothered by something vague I wasn't able to clarify. I
    > > typed the IP address "http://64.143.96.133" in IE, instead of the usual
    URL.
    > > I landed on another site: "EqualizerTM Traffic Management Appliance"
    without
    > > any relation with handango.
    > >
    > > Now I'm puzzled because of this difference I can't understand.
    > > Obviously I was scanned by someone at Handango but their IP address is
    the
    > > same as another one Whois.com don't point to.
    > >
    > > Can somebody explain ?
    > > Regards
    > >
    > >
    > There is a feature in "nmap" which allows you to specify "decoy" ip
    > addresses when you scan a computer or a range of computers (networks).
    >
    > The other possibility is that the scan is conducted from a zombie ip
    > address, looking into whois database and routing information should
    > determine if that ip belongs to a company or DSL/ISP, etc. You need to
    > match that with DNS to get a good handle.
    >
    > scanning is not a terribly bad thing, Mostly it happens due to script
    > kiddies learn that they can run a shell script and droll over the info
    > scrolling up their screens, mostly clueless tho.
    > If your systems are secured properly, you need not worry ;-).
    >
    > Regards,
    > Patrick Soltani.
    >
    >
    Sorry I'm not a network specialist and don't understand.
    Shall I make a query with 64.143.96.133, Whois returns handango.com
    in fact a whole range of IP addresses are reserved to handango.
    Shall I type http://64.143.96.133 in the address bar I get a completely
    different page pointing to Coyotte Point Systems Inc.
    Only two addresses point to this site http://64.143.96.132 &
    http://64.143.96.133

    Normally I should go to the same site, no ?
    Thanks
  4. Archived from groups: comp.security.firewalls (More info?)

    Aldo Larrabiata wrote:

    > "patricksoltani" <patricksoltani@sbcglobal.net> a écrit dans le message
    > news: 40CD0E37.7020701@sbcglobal.net...
    >
    >>Aldo Larrabiata wrote:
    >>
    >>>Hello,
    >>>
    >>>Three days ago, my computer got scanned during half an hour. ZA did
    >>>perfectly its job.
    >>>The day after, it got again. I switched the modem off in order to obtain
    >>>another IP address and it stopped being scanned (of course !).
    >>>
    >>>I made a Traceroute and a Whois on the IP address. Both pointed to
    >>>www.handango.com.
    >>>Discussing about the question with another client of my network, I
    >>>discovered that, both at the same time, he connected to handango.
    >>>
    >>>With the new IP address I got, I connected in turn my computer on their
    >>>site, 15 mn later or so, I got scanned again. The answer is obvious and
    >
    > I
    >
    >>>sent an abuse with the results of my scans.
    >>>
    >>>But, I was a bit bothered by something vague I wasn't able to clarify. I
    >>>typed the IP address "http://64.143.96.133" in IE, instead of the usual
    >
    > URL.
    >
    >>>I landed on another site: "EqualizerTM Traffic Management Appliance"
    >
    > without
    >
    >>>any relation with handango.
    >>>
    >>>Now I'm puzzled because of this difference I can't understand.
    >>>Obviously I was scanned by someone at Handango but their IP address is
    >
    > the
    >
    >>>same as another one Whois.com don't point to.
    >>>
    >>>Can somebody explain ?
    >>>Regards
    >>>
    >>>
    >>
    >>There is a feature in "nmap" which allows you to specify "decoy" ip
    >>addresses when you scan a computer or a range of computers (networks).
    >>
    >>The other possibility is that the scan is conducted from a zombie ip
    >>address, looking into whois database and routing information should
    >>determine if that ip belongs to a company or DSL/ISP, etc. You need to
    >>match that with DNS to get a good handle.
    >>
    >>scanning is not a terribly bad thing, Mostly it happens due to script
    >>kiddies learn that they can run a shell script and droll over the info
    >>scrolling up their screens, mostly clueless tho.
    >>If your systems are secured properly, you need not worry ;-).
    >>
    >>Regards,
    >>Patrick Soltani.
    >>
    >>
    >
    > Sorry I'm not a network specialist and don't understand.
    > Shall I make a query with 64.143.96.133, Whois returns handango.com
    > in fact a whole range of IP addresses are reserved to handango.
    > Shall I type http://64.143.96.133 in the address bar I get a completely
    > different page pointing to Coyotte Point Systems Inc.
    > Only two addresses point to this site http://64.143.96.132 &
    > http://64.143.96.133
    >
    > Normally I should go to the same site, no ?
    > Thanks
    >
    >
    >
    >
    #whois -a 64.143.96.133
    SBC E-Services - Dallas IDC SBCIDC-DAL-2BLK (NET-64-143-0-0-1)
    64.143.0.0 - 64.143.223.255
    Handango SBC064143096128030228 (NET-64-143-96-128-1)
    64.143.96.128 - 64.143.96.255

    # ARIN WHOIS database, last updated 2004-06-15 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    SBC owns the ip block
    The Handango has /25 ip addresses:


    #dig -x 64.143.96.136

    ; <<>> DiG 8.3 <<>> -x
    ;; res options: init recurs defnam dnsrch
    ;; got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45857
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 2, ADDITIONAL: 1
    ;; QUERY SECTION:
    ;; 136.96.143.64.in-addr.arpa, type = ANY, class = IN

    ;; ANSWER SECTION:
    136.96.143.64.in-addr.arpa. 15M IN PTR handngo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR handengo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR palmshop.handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR handandgo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR au.handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR es.handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR fr.handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.handago.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.handngo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.handango.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.handengo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.handandgo.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.acmecarrier.com.
    136.96.143.64.in-addr.arpa. 15M IN PTR www.palmcentral.com.

    ;; AUTHORITY SECTION:
    96.143.64.in-addr.arpa. 23h59m49s IN NS ns2.sbcidc.com.
    96.143.64.in-addr.arpa. 23h59m49s IN NS ns1.sbcidc.com.

    ;; ADDITIONAL SECTION:
    ns2.sbcidc.com. 1d23h59m49s IN A 216.65.209.34

    So they got a lot of names going into the same servers.

    If you do a traceroute you'll see that route ends at handango. So you
    are getting to the right place. The web server can serve any virtual
    page. What's important is that the service is served out of that ip
    address.

    #traceroute 64.143.96.133
    1 ...SNIPPED
    2 ...SNIPPED
    3 bb1-g8-3-0.snfc21.pbi.net (209.232.130.82) 8.186 ms 9.723 ms 9.811 ms
    4 core1-p14-1.crsfca.sbcglobal.net (151.164.242.65) 9.247 ms 9.590
    ms 8.763 ms
    5 core1-p3-0.crskut.sbcglobal.net (151.164.243.237) 22.409 ms
    23.251 ms 22.604 ms
    6 core1-p11-0.crdnco.sbcglobal.net (151.164.243.246) 32.749 ms
    33.076 ms 32.543 ms
    7 core2-p1-0.crdnco.sbcglobal.net (151.164.243.210) 33.006 ms
    32.726 ms 32.456 ms
    8 core1-p3-0.crdltx.sbcglobal.net (151.164.240.125) 55.255 ms
    56.518 ms 55.892 ms
    9 core2-p9-0.crdltx.sbcglobal.net (151.164.242.110) 56.169 ms
    55.403 ms 55.461 ms
    10 bb1-p11-1.dllstx.sbcglobal.net (151.164.240.89) 56.899 ms 57.223
    ms 55.558 ms
    11 ded1-g1-2.dllstx.sbcglobal.net (151.164.40.66) 55.859 ms 56.107 ms
    55.835 ms
    12 core1-z-g1-1.dal.sbcidc.com (216.65.192.6) 55.850 ms 57.088 ms
    57.382 ms
    13 acs2-a-g1-1.dal.sbcidc.com (216.65.192.102) 56.057 ms 56.531 ms
    56.018 ms
    14 cpsbc2.handango.com (64.143.96.133) 57.809 ms 57.867 ms 56.437 ms


    Regards,
    Patrick Soltani
Ask a new question

Read More

Firewalls IP Address Computers Networking