by   June 28 2011   
Alert! Intrusion, Intrusion, hn.kd.ny.adsl China 125.45.109.166 is invading or is it?

Alert! Intrusion, hn.kd.ny.adsl China 125.45.109.166 is invading or is it?

We see allot of posting related to firewall logs filled with Alerts, Intrusion attempts, port scans, etc. It's good that you have software or hardware looking out after your equipment. Its those that have never seen Firewall Alerts that need to worry.

IP addresses from China seem to come up allot within Firewall or network discussions. This post is no endorsement to the ha dat com network located in China but used to educate others about systems that are online.

A couple of points worth noting.

  • Most computer systems that are running scans are typically being controlled by another computer system. (Google Bot vs. Zombie)
  • BOTs or Robot systems often are used to look for things.
  • Zombie systems are typically used on demand to do specific things like running applications such as DDoS attacks.

The System in China at IP 125.45.109.166, port 12200 appears to be the middle system. It could have been a mistake by a tech leaving all those ports open. It also could be a virus or maybe the network operations center wants a good old fashioned zombie / proxy on their network.

In any case it's more annoying than damaging if you have things setup on your local network.

Here's a quick tip: Never think you can't be hacked. Always think when you are hacked what do you do. "It's not IF you are hacked, it's WHEN."

A scan doesn't mean a hack or a direct attempt to access your computer or network. It only means a program or application has checked to see if ports are responding from your network connected device.

Order of things: The Port scans are coming from last known location of 125.45.109.166, 12200. This doesn't mean that a person is sitting behind a computer using that IP address. It only means your logs picked up this as the identified point of entry.

Most likely the actual script is running from 4 levels or more deeper than your logs show. But that's not important what is important for you is to see what they see. (IT often doesn't research scans out of fear to what they might discover. Kind of like putting your head in the sand. If I can't see them they can't see me mentality.

The classical "Are you there?" scan helps determine if equipment is online and responding to a listening port. Like a Call Hang-up to your telephone to see if you will answer. Instead of waiting for you to say Hello your network device will respond with "Clear to Send" which is the same as a status code 200.

Once your system response with a status 200 or any status for that matter the script typically logs the IP and port (your stuff) and might transfer that information to another application to be used on your computer. You just don't know until it's too late most times

Port Scan Example:

I'm guessing you have your own proxy port scanning tools. If not you can login and use the one I have. GFI has a good tool that you can download as well.

My Port Scanning API checks classic port numbers. I look for the "No Proxy on xxx." line to pop up on each attempt. Below is an example.

Testing for Proxy on 192.192.192.001
Using www.google.com
No Proxy on 192.192.192.001:21 Server Status:
No Proxy on 192.192.192.001:25 Server Status:
No Proxy on 192.192.192.001:80 Server Status:
No Proxy on 192.192.192.001:88 Server Status:
No Proxy on 192.192.192.001:110 Server Status:
No Proxy on 192.192.192.001:443 Server Status:
No Proxy on 192.192.192.001:444 Server Status:
No Proxy on 192.192.192.001:808 Server Status:
No Proxy on 192.192.192.001:1080 Server Status:
No Proxy on 192.192.192.001:2003 Server Status:
No Proxy on 192.192.192.001:2680 Server Status:
No Proxy on 192.192.192.001:3124 Server Status:
No Proxy on 192.192.192.001:3127 Server Status:
No Proxy on 192.192.192.001:3128 Server Status:
No Proxy on 192.192.192.001:2232 Server Status:
No Proxy on 192.192.192.001:3862 Server Status:
No Proxy on 192.192.192.001:5555 Server Status:
No Proxy on 192.192.192.001:5566 Server Status:
No Proxy on 192.192.192.001:6588 Server Status:
No Proxy on 192.192.192.001:8000 Server Status:
No Proxy on 192.192.192.001:8001 Server Status:
No Proxy on 192.192.192.001:8008 Server Status:
No Proxy on 192.192.192.001:8080 Server Status:
No Proxy on 192.192.192.001:8081 Server Status:
No Proxy on 192.192.192.001:8085 Server Status:
No Proxy on 192.192.192.001:8086 Server Status:
No Proxy on 192.192.192.001:8087 Server Status:
No Proxy on 192.192.192.001:8088 Server Status:
No Proxy on 192.192.192.001:8090 Server Status:
No Proxy on 192.192.192.001:8118 Server Status:
No Proxy on 192.192.192.001:8135 Server Status:
No Proxy on 192.192.192.001:8888 Server Status:
No Proxy on 192.192.192.001:9000 Server Status:
No Proxy on 192.192.192.001:9090 Server Status:
No Proxy on 192.192.192.001:9483 Server Status:
No Proxy on 192.192.192.001:17941 Server Status:
No Proxy on 192.192.192.001:46769 Server Status:
No Proxy on 192.192.192.001:47859 Server Status:
No Proxy on 192.192.192.001:48703 Server Status:


XCtM Project Proxy Test Finished.

With that test I can see most all known ports accessible from the internet are not responding. This is a good thing.

Now let's take a look at the system in China that seems to like scanning for open ports on our networks and others.

Testing for Proxy on 125.45.109.166
Using www.google.com
No Proxy on 125.45.109.166:21 Server Status:
No Proxy on 125.45.109.166:25 Server Status:
No Proxy on 125.45.109.166:80 Server Status:
No Proxy on 125.45.109.166:88 Server Status:
No Proxy on 125.45.109.166:110 Server Status:
No Proxy on 125.45.109.166:443 Server Status:
No Proxy on 125.45.109.166:444 Server Status:
No Proxy on 125.45.109.166:808 Server Status:
No Proxy on 125.45.109.166:1080 Server Status:
No Proxy on 125.45.109.166:2003 Server Status:
No Proxy on 125.45.109.166:2680 Server Status:
No Proxy on 125.45.109.166:3124 Server Status:
No Proxy on 125.45.109.166:3127 Server Status:
No Proxy on 125.45.109.166:3128 Server Status:
No Proxy on 125.45.109.166:2232 Server Status:
No Proxy on 125.45.109.166:3862 Server Status:
No Proxy on 125.45.109.166:5555 Server Status:
No Proxy on 125.45.109.166:5566 Server Status:
No Proxy on 125.45.109.166:6588 Server Status:
No Proxy on 125.45.109.166:8000 Server Status:
No Proxy on 125.45.109.166:8001 Server Status:
No Proxy on 125.45.109.166:8008 Server Status:
No Proxy on 125.45.109.166:8080 Server Status:

Here's when we find responsive ports.
Yes Proxy on 125.45.109.166:8081 Server Status: 200
Yes Proxy on 125.45.109.166:8085 Server Status: 200
Yes Proxy on 125.45.109.166:8086 Server Status: 200
Yes Proxy on 125.45.109.166:8087 Server Status: 200
Yes Proxy on 125.45.109.166:8088 Server Status: 200
Yes Proxy on 125.45.109.166:8090 Server Status: 200
Yes Proxy on 125.45.109.166:8118 Server Status: 200
Yes Proxy on 125.45.109.166:8135 Server Status: 200
Yes Proxy on 125.45.109.166:8888 Server Status: 200
Yes Proxy on 125.45.109.166:9000 Server Status: 200
Yes Proxy on 125.45.109.166:9090 Server Status: 200
Yes Proxy on 125.45.109.166:9483 Server Status: 200
Yes Proxy on 125.45.109.166:17941 Server Status: 200
Yes Proxy on 125.45.109.166:46769 Server Status: 200
Yes Proxy on 125.45.109.166:47859 Server Status: 200
Yes Proxy on 125.45.109.166:48703 Server Status: 200

XCtM Project Proxy Test Finished.

Now that you see what the port scans are all about you should sleep better at night knowing your systems and equipment are not responding to external scans.

The above list kind of gives me the impression this computer is a simple proxy or applications gateway. I don't have time now to check into things more but as you can see from your logs and this example this computer should be shut down or secured better than it is.

Hope this helped you understand what Port Scanning is all about.

 

 

 

Alert! Intrusion, Intrusion, hn.kd.ny.adsl China 125.45.109.166 is invading or is it?