Hi people. I get constant & regular port scans from these IP addresses:
61.137.117.208 61.233.40.205 61.237.29.102 61.237.3.70 61.235.144.86Severity: Minor Direction: Incoming Protocol: UDP
ARIN and RIPE whois servers don't give any information about any of these addresses. It kinda bugs me because they're constant scans. Probably caused by some application I've installed (like automatic update check or...)
Could anyone enlighten me? Thanks in advance.
Do you have any assets in China? If not then I would recommend blocking those ips/requests
Thanks a lot guys. I have absolutely no idea why I'm getting these scans from China. I have no business associates there - nor any other transactions. Perhaps Chinese want to get my business and make me unemployed too. ;-)
Thanks for the Apnic site link. RIPE and ARIN don't seem to work very well for me.
inetnum: 61.137.0.0 - 61.137.127.255 netname: CHINANET-HN country: CN descr: CHINANET Hunan province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 admin-c: CH93-AP tech-c: YX69-AP status: ALLOCATED NON-PORTABLE changed: snipped-for-privacy@chinatelecom.com.cn 20050825 mnt-by: MAINT-CHINANET source: APNIC
person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: snipped-for-privacy@ns.chinanet.cn.net e-mail: snipped-for-privacy@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: snipped-for-privacy@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to snipped-for-privacy@ns.chinanet.cn.net source: APNIC
person: Yali Xiao address: Hunan Data Communication Bureau No.9 middle wuyi road ChangSha city,Hunan ,P.R.China 410011 country: CN phone: +86-731-2260079 fax-no: +86-731-2265549 e-mail: snipped-for-privacy@hnpta.net.cn nic-hdl: YX69-AP mnt-by: MAINT-CHINANET-HUNAN changed: snipped-for-privacy@hndcb.hnpta.net.cn 20010523 source: APNIC
inetnum: 61.233.40.0 - 61.233.40.255 netname: CRHbYqS country: CN descr: China Railcom Hebei Yangquan Subbranch descr: Telecommunication Company descr: Yangquan City,Shanxi Province admin-c: LQ112-AP tech-c: LM273-AP status: ASSIGNED NON-PORTABLE changed: snipped-for-privacy@crc.net.cn 20030731 mnt-by: MAINT-CN-CRTC source: APNIC
person: LV QIANG nic-hdl: LQ112-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51892106 fax-no: +86-10-51890674 country: CN changed: snipped-for-privacy@cnnic.net.cn 20050823 mnt-by: MAINT-CNNIC-AP source: APNIC
person: liu min nic-hdl: LM273-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51848796 fax-no: +86-10-51842426 country: CN changed: snipped-for-privacy@cnnic.net.cn 20041208 mnt-by: MAINT-CNNIC-AP source: APNIC
inetnum: 61.232.0.0 - 61.237.255.255 netname: CRTC country: CN descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER admin-c: LQ112-AP tech-c: LM273-AP status: ALLOCATED PORTABLE changed: snipped-for-privacy@cnnic.net.cn 20030121 mnt-by: MAINT-CNNIC-AP source: APNIC
person: LV QIANG nic-hdl: LQ112-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51892106 fax-no: +86-10-51890674 country: CN changed: snipped-for-privacy@cnnic.net.cn 20050823 mnt-by: MAINT-CNNIC-AP source: APNIC
person: liu min nic-hdl: LM273-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51848796 fax-no: +86-10-51842426 country: CN changed: snipped-for-privacy@cnnic.net.cn 20041208 mnt-by: MAINT-CNNIC-AP source: APNIC
I don't know if this really helps you or not, but
% [whois.apnic.net node-1] % Whois data copyright terms
person: LV QIANG nic-hdl: LQ112-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51892106 fax-no: +86-10-51890674 country: CN changed: snipped-for-privacy@cnnic.net.cn 20050823 mnt-by: MAINT-CNNIC-AP source: APNIC
person: liu min nic-hdl: LM273-AP e-mail: crnet snipped-for-privacy@chinatietong.com address: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China phone: +86-10-51848796 fax-no: +86-10-51842426 country: CN changed: snipped-for-privacy@cnnic.net.cn 20041208 mnt-by: MAINT-CNNIC-AP source: APNIC
Look here:
M.
I block BUNCHES of subnets outside the USA and China is one of the largest that I block - we've cut spam and probes by 80% just blocking foreign countries where we have no contacts.
China provides low cost hosting service to anyone with clean cash.
[compton ~]$ grep -c CN IP.ADDR/stats/[ALR]* | column IP.ADDR/stats/AFRINIC:0 IP.ADDR/stats/LACNIC:0 IP.ADDR/stats/APNIC:899 IP.ADDR/stats/RIPE:0 IP.ADDR/stats/ARIN:0 [compton ~]$ grep CN IP.ADDR/stats/APNIC | cut -d' ' -f2 | cut -d'.' -f1 | sort -n | uniq -c | column 39 58 1 134 1 167 72 203 13 220 28 59 1 159 1 168 70 210 58 221 30 60 1 161 4 192 35 211 63 222 71 61 1 162 1 198 46 218 20 125 1 166 315 202 27 219 [compton ~]$ grep CN IP.ADDR/stats/APNIC | grep ' 134\\.' CN 134.196.0.0 255.255.0.0 allocated [compton ~]$Briefly, China has 899 network assignments, all from APNIC. IP addresses are not assigned in a "convenient' manner, but are scattered in 23 ranges from 58.14.0.0/15 to 222.249.192.0/19.. For example, in the 202.0.0.0/8 range, there are 3506 assignments located in
[compton ~]$ grep -h ' 202\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort -u | column AF BN GU JP LK MV NZ PW TV WS AP BT HK KH MN MY PF SB TW AS CK ID KI MO NC PG SG US AU CN IN KR MP NP PH TH VN BD FJ IO LA MU NU PK TO VU [compton ~]$Note also that these country codes (from ISO3166) are where the assignment is _registered_ and may not reflect where the actual computer is located.
As noted above, there are five "Regional Internet Registries". "AFRINIC" covers Africa, and some islands in the Indian Ocean. 'APNIC" covers Southern Asia, from Afghanistan to Japan, and areas in the Pacific as far East as Pitcairn Island. ARIN, covers North America, some islands in the Atlantic and Caribbean, and legacy assignments around the world. LACNIC covers Central and South America, and some islands in the Atlantic and Caribbean. RIPE covers Europe, Northern Asia, some areas in Africa that haven't been transferred to AFRINIC yet, and some islands in the Atlantic. See
Because there are tons of cracked hosts in China being abused for scans, spam and so on. You just happen to be in the range of a scanning skriptkiddy. It's nothing personal.
Of course not. RIPE is responsible for the European Network, ARIN for the (North) American part. Both have nothing to do with Asia.
Cheers,
Chris.
There are also quite a number of "ISP's" run by entrepreneurs out to make a fast buck by selling IP space to all takers without question. As long as they don't piss off the Army (CHINANET - the major provider in China) or the government, you'll get all kinds of crap out of Chinese IP space.
Very true.
While most registrations have been transferred to the appropriate region, there are still a number of non-local ones in ARIN:
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column AG BB CH FI HU JP LC PL US AI BE CZ FR IE KN LU PR VI AR BM DE GB IL KR MX SE AT BS DO GD IT KY NL SG AU CA ES HK JM LB NO TR [compton ~]$ grep -c DE ARIN.gz 24 [compton ~]$and RIPE has quite a few outside of Europe.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/RIPE | sort -u | column AD BH EE GL IT LU NO SE UA AE BY EG GR JO LV OM SI UG AL CH ES HR KE MA PL SK UK AM CS EU HU KG MC PS SL UZ AT CY FI IE KW MD PT SM VA AZ CZ FO IL KZ MK QA SY YE BA DE FR IQ LB MT RO TJ YU BE DK GE IR LI NG RU TM BG DZ GI IS LT NL SA TR [compton ~]$But then, APNIC has a few "out of area" registrations too.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/APNIC | sort -u | column AF BT GU KH MN NC PF SG VN AP CH HK KI MO NF PG TH VU AS CK ID KR MP NP PH TO WS AU CN IN LA MU NR PK TV BD FJ IO LK MV NU PW TW BN GB JP MM MY NZ SB US [compton ~]$(Source is RIR zone files dated 15 Oct, 2005)
Old guy
That odd, because when questioning RIPE I do get DE, FR, GB, BE, IT, NL and PL. When asking ARIN I'm referred to RIPE. In the meanwhile ARIN has configured its whois service in a way that they forward the question to the appropriate whois server. At least this works for RIPE and APNIC.
The few which are not belonging to Europe belong to Africa. These domains i.e. IP Ranges are currently being transferred to AFRINIC. I don't have the feeling that this makes anything easier. From time to time I came across IPs not belonging to anyone: ARIN says go-to-AFRINIC, AFRINIC says not-ours. *argl*
Cheers,
Chris.
[compton ~]$ grep -c DE RIPE 1616 [compton ~]$ grep DE ARIN | cut -d' ' -f3 | sort | uniq -c | column 1 1280 1 255.255.248.0 2 768 1 255.0.0.0 4 255.255.254.0 1 255.254.0.0 14 255.255.255.0 [compton ~]$
(1280 is 5 x 256, while 768 is 3 x 256 - the wonders of CIDR.)
Those 24 blocks in Germany at ARIN are probably early registrations that haven't been transferred to RIPE yet. The same is mostly true with the others - but note that ARIN (24) and APNIC (1) use GB and have no UK, while RIPE uses UK (1720) and has no GB.
Haven't noticed that.
Originally, there was only ARIN - RIPE, and APNIC were formed later, LACNIC later still, and AFRINIC only in April of this year. I do see a lot of the "out of region" registrations being transferred from one RIR to another, but there still are some that may be appropriate in a non-local one. For example, there are five US registrations in APNIC - one is a satellite service for ships (presumably in the Pacific), two are overseas services of US companies (Akmai and eBay), one is a US division of an Asian company, and one is a US Military facility in the Pacific (no idea why it's not ARIN).
Oh yeah, I see that one with some frequency. Often, this is a mixup between the whois database and the allocation blocks. Drives me nuts too. If it's important, each of the RIRs has contact data that can let you reach a person - may not be very smart, but might have an explanation, or be able to initiate a fix. It worked when AFRINIC was announcing that
10.0.1.144 belonged to .na for a couple of weeks.Old guy
Based on the information you have provided and my experience, I'm guessing that you are seeing traffic from these IPs on UDP ports 1026/1027/etc, in which case it would very likely be messenger spam. See
Blake
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.