NTL Security probe

[Matth]

www.security.scanner.ntli.net - 62.253.160.70

Got scanned twice today:
Ports 2745, 3127, 420, 5000, SMTP (25)
I don't recognize 420, though the others are frequently part of a virus/worm probe

http://www.ntl-isp.ntl.com/ServiceSt...spx?FaultID=90

Nice to know they're being pro-active, and don't waste time reporting the address to NTL, Dshield or Mynetwatchman

[iadom]

Quote:

Originally Posted by Matth

www.security.scanner.ntli.net - 62.253.160.70

Got scanned twice today:
Ports 2745, 3127, 420, 5000, SMTP (25)
I don't recognize 420, though the others are frequently part of a virus/worm probe

http://www.ntl-isp.ntl.com/ServiceSt...spx?FaultID=90

Nice to know they're being pro-active, and don't waste time reporting the address to NTL, Dshield or Mynetwatchman

420 is SMTPE. nice that they are now including security.scanner for the DNS lookup, they must have got fed up with all the abuse reports.

[altis]

Oh, well there's a surprise!

Quote:

Originally Posted by firewall log

01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 2745
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 3127
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 420
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 5000
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 25

Quote:

Originally Posted by Reverse DNS search

Answer:
62.253.160.70 PTR record: please.see.www.security.scanner.ntli.net

But not much info yet...
www.security.scanner.ntli.net

Yep - I got scanned tonight - they all bounced off my firewall.

[Shaun]

Whats it for? Are they checking how many people have firewalls? Or how many are running servers?

Just checking through my firewall logs, got scanned lastnight, tried to scan port 25 so I can only assume they are checking customers machines to determine if they are operating as a web or mail server.

Quote:

Originally Posted by dellwear

Whats it for? Are they checking how many people have firewalls? Or how many are running servers?

Both probably.

[SOSAGES]

u wasnt allowed to run webservers originally was u ? i think u can - i checked my logs i cant find any scans on that IP

[KraGorn]

How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

Quote:

Originally Posted by KraGorn

How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

How exactly are they lying ? - do you have some inside knowledge on what they are scanning for ? - they have told you that you will be scanned, and they were right.

[nopcode]

I have heard from 2 friends on NTL who have had letters about spam emails (supposedly) originating from their NTL email accounts, (even tho they havent been involved in that activity). In both cases ive talked them through removing any malware/trojans, to stop NTL from d/c'ing them as stated in the letter.

Im half sure some new virus/trojan/malware is specifically targeting ntl connections through fake emails and/or ntl network port scans (to find unporotected pc's) .
I myself have had alot of unusual firewall activity, and alot of disconects from the BB service when using online games/messenger apps/web browsing.
Although im at a loss to say who/what is causing the abnormal traffic, i know it is there.

edit! hmm the relation to this this thread was supposed to be, that NTL must be probing/scanning ntl addresses (hopefully not the reason for my D/c's ) , to find out which ones are being exploited by mass mailer daemons, or other malware or maybe even p2p usage. as in the letters to my friends about it.

btw just as i was writing this i got 4 zone alarm blocked msgs. all from same ip but diff ports.
IP:219.150.118.21 on ports 12490,29503,13694.10596 all to my ip on port 1026.

funnily enough this is linked to a dos attack

hmm maybe ET is trying to get noticed

[BBKing]

Quote:

How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

Pass the crack pipe, Alice. What does this have to do with network maintenance? I happen to know ntl do rather a lot of network maintenance, I'm involved with it.

[KraGorn]

Quote:

Originally Posted by BBKing

Pass the crack pipe, Alice. What does this have to do with network maintenance? I happen to know ntl do rather a lot of network maintenance, I'm involved with it.

SO, what DO port scans have to do with network maintenance? More specifically, why THESE ports in particular. Random probes I may accept have use, these are too specific .. they're looking for something and not saying what it is, instead they're inferring it's routine 'maintenance'.

THAT's why they're lying!

[dev]

Quote:

Originally Posted by KraGorn

SO, what DO port scans have to do with network maintenance? More specifically, why THESE ports in particular. Random probes I may accept have use, these are too specific .. they're looking for something and not saying what it is, instead they're inferring it's routine 'maintenance'.

THAT's why they're lying!

they are most likely looking for viruses/worms spreading by windows exploits or whatever, that is maintenance as it will cut down traffic on the network making more available to you and making the network quicker

Quote:

Originally Posted by dev

they are most likely looking for viruses/worms spreading by windows exploits or whatever, that is maintenance as it will cut down traffic on the network making more available to you and making the network quicker

Precisely.