HI,

It was recommended that I post the results of a service scan performed against a remote machine. However, before I get flamed for lack of proper etiquette, I asked for advice prior to posting. So, here goes.

I have a been getting scanned repeatedly by the same group of addresses for well over 2 months. I decided to take a closer look once the scans stepped up a notch. By "stepped up a notch" I mean more specific.
All the originating HOST are using either port 12200 or port 6000. All with one exception, appear to be located in China. The scans are blatant. Over and over again. I noticed some timing between scans that seemed to match up with a European location as well.

The first question would be if I could get in trouble for the remote host actions. I mean, I have noticed pings directed past the router to the internal network now in my linux logs. Could the attacker/scanner be using me as a bounce for other stuff? The scans, as stated before, never stop.

I ran a scan against one of the host out of curiosity. You can check it out at http://pastebin.com/5qcKSgC0. It appeared to be a school in china. Should I report it? IF so, how would aI report it to some guy in china, I don't speak or write Chinese.

Any way, thanks.

If there is a question of what is and is not acceptable that isn't covered by the LQ policies documents, then I would suggest PM'ing a moderator and straight out asking.

As far as being scanned from China, well, unfortunately, I think the sad truth is that there is little you can do about it. Your description of the scans being a 'never stop' condition is a little suspicious and I would consider blocking the offending IP (or rather range of IP's - go for the base network of the ISP) and see if you get a change in response that indicates an intelligence behind the process.

Otherwise, your best course of action is to do everything you can to ensure that your own system is secure and that it stays that way.

1 members found this post helpful.

Who did and did they give specific reasons for doing that?


If you publicly provide the services they scan for surely you have blocked unauthorized access?
Elif you don't publicly provide the services they scan for then what do you have to fear?
And how about using an IDS instead of scanning? Because exploiting known vulnerabilities will yield known signatures. Having those captured makes it easier to find out the level of intent (as in automated scanner vs human focus).

This depends on your view.
- First of all your ISP may prohibit unauthorized port scanning. Scanning remote targets anyway may affect your level of service.
- Secondly (state) law may prohibit the same (Computer Fraud and Abuse Act, Computer Systems Protection Act, Computer Misuse Act et cetera).
- Then there is the (remote?) risk of retaliation but most of all
- the effectiveness of a scan is disputable:
in the case of your chinese host (which appears to be the property of the Medical College Hospital of XuZhou in Jiangsu state) the server seems to be involved with spam [0] and it has been scanning for VNC-related vulns [1|2] for years now [3]. In short: fat chance scanning gets you something interesting.


If you report it I would suggest their upstream and in english. However given the nature of ISP support your report may be stored safely in the bit bucket for an indefinite period of time (as in pigs taking to the sky or Hell starting to cool down drastically).

1 members found this post helpful.

ok, point taken on all counts.

As to who told me I should post, I may have misunderstood. Either way, thanks for the input.

Marking as solved.