cancel
Showing results for 
Search instead for 
Did you mean: 

80.229.x.x Multiple Port scans

N/A

80.229.x.x Multiple Port scans

I believe there could a few threads already out there concerning this matter. infact the problem could more widespread as not every one is inspecting logs or has a firewall reporting port scans. WHAT IS GOING ONHuh
why, why, why.

03/27/2004 17:48:33 80.229.29.130
03/28/2004 12:06:11 80.229.150.230
03/28/2004 12:24:18 80.229.11.70
03/28/2004 12:36:10 80.229.18.100
03/28/2004 15:12:00 80.229.11.70
03/28/2004 15:42:32 80.229.150.230
03/29/2004 23:01:42 80.229.19.11
03/29/2004 23:01:52 80.229.147.176
03/30/2004 01:27:25 80.229.147.176
03/30/2004 01:28:47 80.229.11.70
04/01/2004 00:30:38 80.229.28.27
04/01/2004 04:29:53 80.229.10.81
04/01/2004 09:55:12 80.229.137.46
04/01/2004 13:10:37 80.229.28.27
04/01/2004 15:26:56 80.229.8.81
04/01/2004 19:16:20 80.229.152.216
04/01/2004 20:35:39 80.229.9.128
04/02/2004 03:22:18 80.229.61.242
04/02/2004 11:28:31 80.229.27.129
04/02/2004 16:06:23 80.229.25.181
04/03/2004 12:18:51 80.229.149.140
04/03/2004 17:06:10 80.229.24.159
04/03/2004 19:25:39 80.229.149.189
04/03/2004 19:39:57 80.229.28.127
04/03/2004 21:24:13 80.229.136.114
04/03/2004 21:26:27 80.229.149.140
04/03/2004 21:28:10 80.229.24.159
04/03/2004 22:25:31 80.229.17.109
04/03/2004 22:43:24 80.229.137.46
04/03/2004 23:00:38 80.229.152.166
04/03/2004 23:02:53 80.229.29.243
04/03/2004 23:24:25 80.229.4.154

The ports being scanned are

2745, 1025, 3127, 6129, 139, 80.

I have blocked off the entire range from 80.229.0.0-80.229.255.255.

Also i only list the 80.229 logs even though 196.x have come up as well

ADDED NEW

2745, 1025, 445, 3127 and 6129 have been scanned from 80.229.139.171
1025, 445, 3127, 6129 and 139 have been scanned from 80.229.10.81.
6129, 80, 2745, 1025 and 3127 have been scanned from 80.229.27.39.
2745, 1025, 3127, 6129 and 139 have been scanned from 80.229.145.170
445, 3127, 6129, 139 and 80 have been scanned from 80.229.13.66.
2745, 1025, 445, 3127 and 6129 have been scanned from 80.229.17.101.
2745, 1025, 445, 3127 and 6129 have been scanned from 80.229.137.109.
6129, 139, 80, 3127 and 445 have been scanned from 80.229.150.154.
2745, 1025, 445, 3127 and 6129 have been scanned from 80.229.15.33
2745, 1025, 3127, 6129 and 139 have been scanned from 80.229.30.73.
2745, 1025, 3127, 6129 and 139 have been scanned from 80.229.146.162.

I have lost the logs which would show hundered plus ip's but this is from last hour.no port 135.

If it wasn't for the other threads i would not have bothered posting.
39 REPLIES
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

80.229.x.x Multiple Port scans

virally infected pc's by those that dont know any better, so plusnet abuse has to contact them each manually via email or direct calls. So takes time just to get them on the phone, let alone fix it.

But like the 135 web page rerouting, think something simmilar should be used, have there online browsing redirected to a info page telling them they are infected and leave that active for a hour or more, that will soon get them to contact PN for a fix/help.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

80.229.x.x Multiple Port scans

You don't mention what type of scans these are, or if they are DOS attacks.
Anyway, the maximum number in your list is 12 scans in one day. To be honest, this is nothing and could even be considered "background noise" in certain circumstances. It would appear to be someone at PlusNet on a dynamic IP who most probably is "wide broadcasting" packets.
Time to worry is when you get this many in a minute...
N/A

80.229.x.x Multiple Port scans

ok finally an explanation after reading a few of the new posts. Its a virus/bot, at first i thought who would be so thick as to repeatedly scan the same ports over and over.And then the sheer number of 80.299x scans, the explanation that some viruses target entire ranges from the ones they originally affect within. But its not just port 135 it is the exact range i have listed. And the ip's i picked out from the log were just the 80.299.x,which accounted for only 50% of this traffic. I get them every few minutes now as the problem escalated a great deal. Should'nt they make it a criminal offense not to run a pc without FIREWALL(Software) and ANTIVIRUS protection?
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

80.229.x.x Multiple Port scans

Quote
Should'nt they make it a criminal offense not to run a pc without FIREWALL(Software) and ANTIVIRUS protection?


Now thats just bordering on the idiotic side... for a start it would be unenforcable.
N/A

80.229.x.x Multiple Port scans

Quote
Now thats just bordering on the idiotic side... for a start it would be unenforcable.

I don't think he was being serious Cheesy

Anyway, FWIW I've noticed the same scans as well - I would say more than the usual background noise, and predominantly from the 80.229 range.

I would guess it's possibly a symptom of a worm/virus infection on these people's PCs, and maybe it favours scanning adjacent addresses before looking further afield.

Not much I can do about them though, and they are being blocked so I'm not really bothered. Anything that can get through a router's NAT/SPI firewall, a software firewall, and find a hole in a fully patched OS deserves to live in my opinion Cheesy
Novagal
Grafter
Posts: 54
Registered: 30-07-2007

80.229.x.x Multiple Port scans

Peeps,

Just to add to this thread, I have just informed the Abuse Dept via Contact Us as a result of a number of Syn Port scan attacks from Plus.com users I have been getting.

Got a quick positive response and looks like these users may be the victim of a virus themselves. Hopefully the details I supplied them will help PlusNet in contacting the apparent culprits to make them aware and hopefully reduce attacks from these quarters.....and just as I was about to post this I get another attack from another plus.com user.........the amazing world of the internet Cheesy

K.
N/A

80.229.x.x Multiple Port scans

I've had 1200 probes from 58 different Plusnet, Force9 & Free-online users over the past 4 days (during the hours that my PC has been on and logging), nearly all on these 6 ports.

I've also sent in a report so hopefully these people might be informed if they are infected...
N/A

Zone Alarm

Just download this free firewall
michaelscott
Grafter
Posts: 594
Registered: 09-08-2007

80.229.x.x Multiple Port scans

the fact that they are aware of the port scans would suggest that they already have an effective firewall installed.
N/A

80.229.x.x Multiple Port scans

I would just advise everyone to get a free firewall if they do not have one already. Sygate produce an excellent one which is free and offer a pro version aswell for a price.
The scans are more intense than ever.
Its the same ports over and over and clearly its gone beyond the 80.229.x.x range. But i don't really care now, whatever it is, is only a threat to the uneducated computer user with no AV protection
and an upatched windows machine. Let them burn in hell, i will just get get back to normal life.

I run Norton Personal Firewall 2004,Sygate Pro Firewall 5.5 and windows xp ICF with no slowdowns or conflicts behind a Netgear DG834G. I do it for fun and did it against general advise about running mulitple firewalls. Its been 2 years and one day i hope to find out why one should run 1 firewall only. I also know how each one of these firewalls can be circumvented having experienced it from a hacker friend. The sygate vunrebility has existed for almost 3 years now.

Sorry if i do not reply as i check every few days.
N/A

80.229.x.x Multiple Port scans

Yes, the TCP port 135 scans are back! I have been attacked today by
happyone.plus.com
jameswylie.plus.com
msdba.plus.com
medland.plus.com

... and that's just on port 135. Thank heavens for my trusty ZyXEL.
N/A

80.229.x.x Multiple Port scans

I would not call it an attack, as the users may not know their machines are doing it.
If you got those usernames by rDNS, they may not be current as they could be for dialup, where mainly dynamic IPs's are used.
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

80.229.x.x Multiple Port scans

Dialup users have "<something>.dial.plus.net" as their rDNS - <username>.plus.com is reserved fro Static IP addresses...
N/A

80.229.x.x Multiple Port scans

Indeed. I have obtained the user names using a WHOIS utility. The names are as registered in PlusNet's RIPE database.

More culprits:

80.229.61.158 chrisdshaw.plus.com
80.229.55.124 <no name registered -- new user? />

Again, scans on port 135.

I thought that PN were blocking such outbound traffic from customers, or is it only at the periphery of the site?