Quote

[Moderator's note by Jim (Oldjim)  IP address and Plusnet username removed for fairly obvious reasons but noted in the hidden forums for staff ]

There are hidden forums for staff?!? Who knew?

The main difference is that those forums, as well as being limited access, aren't searchable by Google and others

I've flagged this for myself to do a little digging.
I've never encountered such a large number of reports of such activity, which suggests it may well have some form of pattern to it.
Do you have the last time the offending and removed IP last tried to access, so I can dig into the connection logs at that time?

@Phil,
I'll send you a PM with a link to my syslog file in case you want to have a look.
The offending IP appears much earlier in the log than I had realised - back to March!
The last entry that I can see from it is on Sun Jul 22 12:37:42; the end of a flood of telnet attempts from it.
Cheers!

There is no initial logical reason for this to occurs.
Whilst part of the IP prefix matches, the majority does not.
I can see you have raised a ticket, which should be passed through to our networks team to handle as an abuse report.
I have passed this on to them now.

Thanks.
I'm watching a stream of probes for ports 445 and 138 coming into my IP block now, lol. From different IP's though, the that one on PN's network.

Have you had a look at the Broadband Firewall. The low setting will block those ports and would be ok if you don't need to use the others?
You may also want to look at the Safe Surf option if you aren't aware of it.
Login required for both of those.

http://community.plus.net/forum/index.php?topic=6234.0 from 2004 same IP range then that was scanning, maybe both LordFox/abellingham had/have the same IP and the bot is looking for a known weak router

Or previous P2P usage?

Thanks for the information.
I use an openBSD box with PF configured as a firewall/router for my IP block. That's after the modem/router which is configured as a bridge and also has a firewall configured to reject Windows' silly ports.
I do open up some service ports at times, so using an external firewall isn't an option. I have gone so far as to set up port-knocking before now to secure my own access when out working.
The issue I had with a certain IP address was the repeated attempts (100's)  to log in to my modem/router; it is a plusnet-owned address hence my report. It's a small fraction of the 36,000+ login attempts since the start of this year though. The modem drops the majority of probes (like for file sharing ports) and the openBSD box handles the rest, so I'm as safe as it gets really, short of an airwall setup. It just surprised me how may login attempts there were.
The very heavy 'quiescent' use of my allowance is still a puzzle, but I've changed my default outgoing address and that has made a big difference yesterday and today. If it continues I'll set the modem to echo all traffic to a logging port and have a look with wireshark.
I also got a bit paranoid over the weekend and rebuilt my openBSD box on the latest release from scratch and with an even longer password, just to be sure, lol.

I suppose it may depend on how often you want/need to open those specific ports and how much of your bandwidth these attempts consume. How inconvenient it may or may not be to turn on and off the external firewall/safe surf and drop and restart the PPP session on the particular IP address for the changes to become effective.
Whilst doing that, even for a limited period, won't discourage any bots for obvious reasons, would it perhaps discourage others? As I don't know what the probing end may "see" in either case, and it's not something I've even tried or considered, I wouldn't know.