PDA

View Full Version : NTL Security probe


Matth
01-07-2004, 21:45
www.security.scanner.ntli.net (http://www.security.scanner.ntli.net) - 62.253.160.70

Got scanned twice today:
Ports 2745, 3127, 420, 5000, SMTP (25)
I don't recognize 420, though the others are frequently part of a virus/worm probe

http://www.ntl-isp.ntl.com/ServiceStatus/ServiceDetails.aspx?FaultID=90

Nice to know they're being pro-active, and don't waste time reporting the address to NTL, Dshield or Mynetwatchman

iadom
01-07-2004, 21:54
www.security.scanner.ntli.net (http://www.security.scanner.ntli.net/) - 62.253.160.70

Got scanned twice today:
Ports 2745, 3127, 420, 5000, SMTP (25)
I don't recognize 420, though the others are frequently part of a virus/worm probe

http://www.ntl-isp.ntl.com/ServiceStatus/ServiceDetails.aspx?FaultID=90

Nice to know they're being pro-active, and don't waste time reporting the address to NTL, Dshield or Mynetwatchman
420 is SMTPE. nice that they are now including security.scanner for the DNS lookup, they must have got fed up with all the abuse reports.

altis
01-07-2004, 23:55
Oh, well there's a surprise!
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 2745
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 3127
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 420
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 5000
01 July 2004 21:02:35 Unrecognized access from 62.253.160.70:65535 to TCP port 25

Answer:
62.253.160.70 PTR record: please.see.www.security.scanner.ntli.net

But not much info yet...
www.security.scanner.ntli.net

Paul
02-07-2004, 00:17
Yep - I got scanned tonight - they all bounced off my firewall. :)

Shaun
02-07-2004, 15:16
Whats it for? Are they checking how many people have firewalls? Or how many are running servers? :confused:

Mick
02-07-2004, 15:24
Just checking through my firewall logs, got scanned lastnight, tried to scan port 25 so I can only assume they are checking customers machines to determine if they are operating as a web or mail server.

Paul
02-07-2004, 16:56
Whats it for? Are they checking how many people have firewalls? Or how many are running servers? :confused:

Both probably.

SOSAGES
02-07-2004, 20:39
u wasnt allowed to run webservers originally was u ? i think u can - i checked my logs i cant find any scans on that IP

KraGorn
02-07-2004, 23:06
How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

Paul
03-07-2004, 00:10
How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

How exactly are they lying ? - do you have some inside knowledge on what they are scanning for ? - they have told you that you will be scanned, and they were right.

nopcode
03-07-2004, 03:41
I have heard from 2 friends on NTL who have had letters about spam emails (supposedly) originating from their NTL email accounts, (even tho they havent been involved in that activity). In both cases ive talked them through removing any malware/trojans, to stop NTL from d/c'ing them as stated in the letter.

Im half sure some new virus/trojan/malware is specifically targeting ntl connections through fake emails and/or ntl network port scans (to find unporotected pc's) .
I myself have had alot of unusual firewall activity, and alot of disconects from the BB service when using online games/messenger apps/web browsing.
Although im at a loss to say who/what is causing the abnormal traffic, i know it is there.

edit! hmm the relation to this this thread was supposed to be, that NTL must be probing/scanning ntl addresses (hopefully not the reason for my D/c's :)) , to find out which ones are being exploited by mass mailer daemons, or other malware or maybe even p2p usage. as in the letters to my friends about it.

btw just as i was writing this i got 4 zone alarm blocked msgs. all from same ip but diff ports.
IP:219.150.118.21 on ports 12490,29503,13694.10596 all to my ip on port 1026.

funnily enough this is linked to a dos attack

hmm maybe ET is trying to get noticed

BBKing
03-07-2004, 04:31
How typical of NTL to lie about what they're doing .. "network maintenance" doesn't need to port scan specific ports like these.

Pass the crack pipe, Alice. What does this have to do with network maintenance? I happen to know ntl do rather a lot of network maintenance, I'm involved with it.

KraGorn
03-07-2004, 09:25
Pass the crack pipe, Alice. What does this have to do with network maintenance? I happen to know ntl do rather a lot of network maintenance, I'm involved with it.
SO, what DO port scans have to do with network maintenance? More specifically, why THESE ports in particular. Random probes I may accept have use, these are too specific .. they're looking for something and not saying what it is, instead they're inferring it's routine 'maintenance'.

THAT's why they're lying!

dev
03-07-2004, 12:28
SO, what DO port scans have to do with network maintenance? More specifically, why THESE ports in particular. Random probes I may accept have use, these are too specific .. they're looking for something and not saying what it is, instead they're inferring it's routine 'maintenance'.

THAT's why they're lying!

they are most likely looking for viruses/worms spreading by windows exploits or whatever, that is maintenance as it will cut down traffic on the network making more available to you and making the network quicker :)

Paul
03-07-2004, 13:48
they are most likely looking for viruses/worms spreading by windows exploits or whatever, that is maintenance as it will cut down traffic on the network making more available to you and making the network quicker :)

Precisely.

Bambi
03-07-2004, 18:40
u wasnt allowed to run webservers originally was u ? i think u can - i checked my logs i cant find any scans on that IP

Unless they have changed thier TAC you can run a web server and any file server as long as any downloads are on a passworded account basis that is not publicly available. i.e only private user accounts.

I have been running a small apache server for about a year now with no hassles.