Anyone who looks at their firewall logger periodically will notice many IP addresses attempting IP block port scans against entire IP ranges, of which your own IP address just happens to reside. Usually any given IP port scan will pass you by with only one scan on one port (since they are scanning a block of IPs for the same open port, usually a Microsoft service port 1026-1029). However, this morning something interesting happened to me -- I noticed the same IP address attempting to scan the entire range of TCP ports on my PC in what appeared to be a stealth scan. This is a rarity since I am on a dial-up connection and anyone with half a brain knows what sort of networks reside on what IP ranges, so any potential cracker would know that my IP range is that of a dial-up service. No hacker would want to crack into a dial-up box, at least not unless there was a good reason to do so, and there is nothing important on my PC, nor do I ever scan ports on other computers besides my own, so a "revenge attack" was out of the question. Even though this is unusual, it isn't the first time I have seen such logs, so I thought nothing of it and moved along -- that is, until I received a phone call approximately 10 minutes later from an out of state number that showed up on my caller ID. I didn't answer it since I thought it was a solicitor.

The call had no name attached to it, but simply displayed the number and the city it originated from. This piqued my interest, so I went to the net, did a reverse look-up on the phone number and found out that it did indeed originate from where my caller ID said it did, and the name that came back on the net was simply a generic network service provider name -- there was no business or personal name attached to it. Well, then I remembered the port scan just a couple of minutes earlier and decided to run a "Whois" on the IP address, and guess what? Yep, the IP address of the port scan originated from the very city of the phone call. Paranoia? Nah, what makes it even more interesting is what else the "Whois" told me about the IP address, it was from a state government computer system. Either someone is bouncing off a state government computer system or someone is bored at their state job and decided to port scan me then to call me. Either those computer systems need some serious security auditing or someone needs to be fired for running port scans on state equipment.

Then I wondered if I had inadvertantly did something to cause this or if maybe my PC had been hacked and used as a proxy. This seemed unlikely since I had spent all night experimenting with different Linux firewalls for ip-tables. I had, however, scanned my own computer numerous times from several different well known auditing sites such as GRC and others. Perhaps these scans are showing up on my ISP's logs as suspicious? But, I know where my ISP's system is located and it is not in this other state. I have no idea and wonder what input you guys can give.

Why not? A PC, on dialup or broadband (it doesn't matter) makes a "nice" zombie and can be used in a number of ways. Especially when it's not protected (dialup people tend to think they're safe, have no firewalls etc, so they're easier targets).

Dialup doesn't mean you're safe. The same when your ISP says you're behind a firewall.

Scan that seems to be from a goverment system can be spoofed, remember that. The telephone call, however, makes the thing interesting. I don't think it's possible to find out what really happened, but use a paranoid firewall, just in case

It may be that your ISP IDS raised an alarm. Or, any other IDS raised it, what resulted in that scan attempt (somebody trying to find out what's going on). I don't think that most ISPs would react seeing just scans (well, not 'think', I know it).

It is an interesting story. Explanation? Only if you make it occur again...