OK, what is going on? My FTP server which is running black ice defender is reporting people on NTL port scanning me, such as HTTP scans and FTP scans. Some one tried it 36 times, and I'm wanting to know if this is on purpose or they have caught a program that does this.

Any ideas?

Port scans are against ntl's Residential Internet Terms & Conditions. Please report such activity to the Abuse team by visiting www.ntlworld.com/netreport

Thanks! :D

It could be either... either way report it to the abuse team (www.ntlworld.com/netreport)

the policy on port scanning is three strikes and your out.

EDIT: Jimbo beat me to it...

It asks for evidence, but I can't find a program to open up Black Ice's evidence file. Any ideas of one on the net to show the proof of them both?

what form is the output from black ice? there should be a text log file and you can just copy and paste the appropriate part

Black Ice uses .enc because it saves a packet and gives detailed information about it. I think I have found a decoder though ;)

EDIT: This is going to be hard, it's a load of code I don't understand :(

Extract from http://www.iss.net/security_center/advice/Support/KB/q000214/default.htm

The Packet Log and Evidence Log features of BlackICE generate files with the extension ".enc". These ".enc" files contain actual network traffic and in the case of evidence files, they contain traffic that was part of the detected attacks. These files are not readable by normal text editor programs, such as Notepad, but must instead be decoded by standard protocol analyzer programs (sniffers) that network technicians typically use to analyze network traffic.

You can find sniffers (protocol analyzers) to read the packet log and evidence log files at the following web sites:

www.nai.com (http://www.nai.com/)
www.ethereal.com (http://www.ethereal.com/)
That said, you can read some of the log in texteditors like notepad, but not much of it will make sense, unless some plain text was included in the packet that triggered the capture

What part on Ethereal am I supposed to copy and past? I found the IP of the attacker and the port he scanned me (80), but in the middle window I don't know what lines I need to tell NTL about.

All NTL really need are the IP, the port scanned and the time/frequency of the scans. Unless it is persistant then it is probably not worth bothering.

What part on Ethereal am I supposed to copy and past? I found the IP of the attacker and the port he scanned me (80), but in the middle window I don't know what lines I need to tell NTL about.

might as well copy all information that you think might be relevant... someone working for the abuse team can sort through it ;)

At the time of the Blaster/ Welchia worms i was sending 150+ pages of router logs everyday to one of the teams at work so they could get all of the ips. Needless to say they did a pretty good job of sorting through them :tu:

install http://www.mynetwatchman.com/ and let them automaticaly send reports to the isp for you.

like this naughty ntlworld user. http://www.mynetwatchman.com/LID.asp?IID=101544654

Thanks for that program, i'm installing it right away because I am being attacked from loads of people :mad:

I use this. http://www.visualizesoftware.com/for Zone Alarm, they do a version for Black Ice, not free but produces loads of extra info on your firewall activity and can generate email messages from within the program that you can send to abuse@ anywhere.

I installed mynetwatchman, and it sent off all the "possible" attacks I had in my Black Ice attack list. At least it's automatic :D

Are you positive they are "attacks" it could just be normal internet traffic?

Mynetwatchman sends it off, and the team checks to see if its traffic or not. One on NTL did it 24 times, that can't be traffic can it?

hi on this subject .. my firewall has just informed me that ntl has performed a portscan om my p.c is this normal from ntl ? it tells me it was a network scan which the firewall classed as a intrusion on this p.c
can anybody help as i get quite a large number of these from day to day



thanks in advance;)

bluffdemon

hi on this subject .. my firewall has just informed me that ntl has performed a portscan om my p.c is this normal from ntl ? it tells me it was a network scan which the firewall classed as a intrusion on this p.c
can anybody help as i get quite a large number of these from day to day



thanks in advance;)

bluffdemon
Hmm, so i'm not the only one. Thank god for that.

hi i have just run a few checks on the I.P address which the scan came from and all of them tell me its NTL are they allowed to do this ?
surely this can't be right can it

bluffdemon

I have these all of the time, just let your firewall deal with it.

Just to add some more fuel to the fire/debate

http://www.samspade.org/d/firewalls.html

discuss

I think I might just get a hardware fire wall, or a router.

Well, I just checked the status of the "possible" attacks iv'e had, and mynetwatchman has reported them to those people's ISP's, but NTL hasn't responded to the NTL attacks yet. About 5 ISP's has responded.

That myNetWatchman is such a good system.

EDIT: Here is the link to the person on NTL HTTP port probing me, AND other people: http://www.mynetwatchman.com/LID.asp?IID=96504731

Just to add some more fuel to the fire/debate

http://www.samspade.org/d/firewalls.html

discuss

:D

He's right too :p:

I'm a hypocrypt though. I have a windows firewall :o

Mind you, I'm a nosey bugger and will have my bsd box back logging router snmp data some time soon. The windows firewall can go then :cool:

EDIT:

Just thought, what about all those programs phoning home :confused: How do you stop them without a windows firewall or a router that does not block outgoing data :shocked: :( ;)