cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple Port scans from 212.159.110.99

N/A

Multiple Port scans from 212.159.110.99



Is anybody continually getting scanned by this Plusnet customer. Just had 134 hits on different ports from him this morning. This IP resolves to harmer1.plus.com and has been reported numerous times to the abuse addy but nothing seems to be done about him.

Anybody else having the same trouble? :x
14 REPLIES
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Multiple Port scans from 212.159.110.99

mail him and CC to abuse@plus.net

posting here isnt much good if you dont let the abuse dept. know
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Multiple Port scans from 212.159.110.99

Errr, ah, hmm.

He did report to the abuse addy. He said that!

When and what information did you send to the abuse department?

You have to remember, you will not be the only person submitting report, and not just about the one person.

It can take weeks to deal with reports, from colating and gathering evidance, to even reaching your reporting ion the thousands they deal with.
N/A

Multiple Port scans from 212.159.110.99

I mailed my Zonealarm logs for the previous hits from that IP to abuse addy and i have also raised a contact us ticket about this mornings incidents. I am not expecting any replies directly from the abuse team as i realise they are busy however i reported this same guy several weeks ago as well and he still seems to be port scanning. I don't usually bother reporting them as my firewall and regular AV scans keep my computer secure but this guy is annoying mainly because of the amount of attempts he is making.
N/A

Multiple Port scans from 212.159.110.99

There is little PlusNet can do from one report, or rather, reports from one user. You need to hope others take action and report him too.

Logs can be easily faked, so they need co-oberation from another person saying that this user is scanning systems.

Have you attackted to contact the OP yourself?

postmaster@username.plus.com
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Multiple Port scans from 212.159.110.99

Maybe thats the reason this thread (and the one on usenet) was created for. To see if others had been scanned by the same IP also. That would then add more weight to the request to abuse.
N/A

Multiple Port scans from 212.159.110.99

Yes Peter that was the main reason that the threads were created for. As Peter says ZA logs can easly be faked so i was just wandering if anybodys else had picked up this guys scans.
N/A

Multiple Port scans from 212.159.110.99

TO me its seems kinda strange that there are so many people who are on PN that are getting scanned by ALOT of other PN ip's. I am also getting probed like crazy from alot of PN ip's.

I cant see any point in sending any reports or log files from firewalls to the abuse dept as there are so many PN ip's constantly scanning, i restrict every single PN probe and every day theres other PN ip's doing the same.

Im not worried at all by these probes as i know my system is totally free from any viri or trojan, the thing that does annoy me most of all is that it does seem to have an effect on my computer, lagging or a drop in speed.

Just hope what ever the problem is it gets sorted out soon as.
N/A

Multiple Port scans from 212.159.110.99

It has been relatively quiet here in the past few days.
The worst day since records began Smiley was 8565 on 23rd April. In the last week, five days were less than 50 and the worst day was 830.
By the way, I am on a different IP range so mine come from 81.174.x.x
N/A

Multiple Port scans from 212.159.110.99

Hi All

I am curious about something.Is there something that makes one person more susceptible to being scanned than another.Because I have been reading the posts here about people being scanned hundreds of times if not thousands;so out of interest I had a look at the firewall logs on my wifes computer (Win XP Home) that have'nt been checked for at least 2-3 months,and there were only a couple of hundred entries and most of those were just "background noise",and I certainly cannot be bothered to sort through the rest to nail down a culprit or culprits.But I would have thought that given the length of time since the logs were last checked,and the fact that her machine;like mine is always switched on and connected to the 'net that the log would have listed more 'attacks" real or otherwise than it actually did.

The only thing I can think of that may have a bearing on it ,and would appreciate some expert thoughts on this.......... is if a modem is used instead of a router: is that likely to allow more "attacks" to register on a firewall log?

IanJ
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Multiple Port scans from 212.159.110.99

It it completely random whether you will get scanned or not and depends on whether infected systems pick up your IP or not, or chose to scan an IP range that you are on. Often infected PCs will scan similar IP address ranges to themselves.

What is reported here is only happening to a smallish proportion of users and most will have what you have, a small amount of background noise. PN block a lot of port scans at the edge of their network so they never get in from the internet into PN's network.

What ADSL hardware do you use? If you have a external router then it usually has a NAT or SPI firewall built in that will block and probably not log the majority of port scans, so your software firewall will never see them. If it's just a USB modem then they do not normally have an in-built firewall, so will not block packets, so what you are seeing in your software firewall logs is what has been happening on your ADSL connection.
N/A

Multiple Port scans from 212.159.110.99

Thanks Peter

My curiousity is satisfied :-)

We are using at the moment an external router,which as you say does a lot to stop the "nasties" getting in.But I do get a little concerned as the weak spot for us these days is the wifes Windows machine which is firewalled and anti-virused to the hilt so we feel relatively secure in that respect,but I do intend in the near future to change hers for a Mac as I think Windows (without becoming too paranoid about it) is becoming the target of more and more sophisticated "attack" techniques,and the uses she puts her computer to is more than suitable for a Mac,and she has felt a little uneasy since she read that there are methods available that may allow child pornography to be passed through her computer without her knowing,and although I have explained that given the set up we have that is unlikly to actually happen the peace of mind to us of a complete non Windows computer enviroment outweighs the cost envolved.

But I must admit watching the methods used to try and get virus and worms onto her machine evolve over the years has been fascinating,and I must confess to using her computer as a "sacrificial lamb" to see what has been sent to my machine <evil grin> just this morning someone tried to send me "W32/netskyAB" disguised as a "pif" which would really work well on a Mac :-),but it did give the wifes "F-prot" anti-virus "Real Time Protector" it's first real test in that when I e-mailed it to her machine it killed it stone dead.So we know that works.

Once again thanks Peter,sorry about the bit of a ramble

IanJ
N/A

Multiple Port scans from 212.159.110.99

chamone:

Can I ask what sort of problem you think this can be?

Your post made me curious as it implied this is a PlusNet side issue.
N/A

Multiple Port scans from 212.159.110.99

RIght well seeing as most of the people on PN have static IP's and that the PN ip's i have already restricted and i noticed again a new PN ip that has scanned me again for X amount of times in X amount of minutes. Everyday i guarantee that i will have at least several new PN ip's scannin me X amount of times, also netbios scans are pretty frequant also.

I wasnt sugesting it was PN side problem i just found it strange that i get hit everyday with a new PN ip scanning me, but like someone said in a post further up, that an infected machine will scan its own IP range, in this case (my range) 80.229........

Now it might be the case that several customers PC's have been infected and they dont know and these customers must not be on a static IP but dynamic IP, coz im not gettin scanned by an IP that ive already restricted or Norton would say so when i actually add the new scan to the restricted list.

Off to bed im knackerd (been watchin bb5 and emma losing it big fashion) Smiley

NN
N/A

Multiple Port scans from 212.159.110.99

Iv'e had harmer1 appear in my firewall logs, on 25th may, but resolved from a different IP. So, he is not on a static IP or, if you were slow in doing a look up, was actually someone else.