Keep getting Port Scanned by RPF

Discussion in 'Site Support & News' started by amish, Jun 20, 2005.

  1. amish

    amish Sr Member

    Trophy Points:
    1,046
    I keep getting port scans from the RPF:

    IP Address 67.15.145.9
    Attacker DNS www.rpf.invisionzone.com
    Attack Type Port scanned
    Attack Time 11:16:40 PM
    Scan Port Details TCP (2918, 2920)

    Any idea of the reason for this?

    Thanks.

    BTW, this happens at least once a day.
     
  2. amish

    amish Sr Member

    Trophy Points:
    1,046
    It will happen either while browsing the forum or after I leave the forum. It is kind of weird and thought it was worth mentioning.
     
  3. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    Some sites will do that to see if you are still 'alive' and kicking while accessing a site, does Invision do that normally?
     
  4. amish

    amish Sr Member

    Trophy Points:
    1,046
    It probaly is a "feature" of invisionzone. I will have to try accessing another invision site and leave it up for awhile and see if it happens.

    Nice idea.
     
  5. Cenobyte

    Cenobyte Sr Member

    Trophy Points:
    1,681
    I get the same thing.

    Port scanned from teh RPF
     
  6. Cenobyte

    Cenobyte Sr Member

    Trophy Points:
    1,681

    It is the RPF. 2 different computers. What possible reason should an INTRUSION PREVENTION occur? Here is the log (Partial) from my firewall..

    7/3/2005 11:43:26 PM Active Response Major Incoming None 67.15.145.9 7/3/2005 11:42:34 PM 7/3/2005 11:42:34 PM
    7/3/2005 11:43:26 PM Intrusion Prevention System Major Incoming TCP 67.15.145.9 iexplore.exe Br 7/3/2005 11:42:33 PM 7/3/2005 11:42:33 PM
     
  7. amish

    amish Sr Member

    Trophy Points:
    1,046
    Thanks for staying up on this Dualedge.
     
  8. amish

    amish Sr Member

    Trophy Points:
    1,046
    You got it. I should say that I have not experienced this in the past few days. So I will post here if it happens again.

    Thanks.
     
  9. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    I had a thought on this, and there is not any evidence of this, but I'm curious if some linked images could be prompting that scan. Avatars or other images in threads that are linked from sites with advertising perhaps?
     
  10. amish

    amish Sr Member

    Trophy Points:
    1,046
    Just wanted to mention I got another one at 9:22am this morning.

    The IP for the attack is:
    67.15.145.9

    This is Invisionzone from Houston, Texas. So they are the ones doing something.

    The following is the information from the IP that port scanned me:

    The system is running a mail server (ESMTP Exim 4.44 #1) on port 25. This means that this system can be used to send email.

    The system is running a web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 80 (click here to view it). This means that this system serves web pages.

    The system is running a secure web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 443 (click here to view it). This means that this system serves encryped web pages. It therefore probably handles sensitive data, such as credit card information.

    The system is running a file transfer server (1.2.10 Server (ProFTPD) [67.15.145.9]) on port 21 (click here to view it). This means users are able to upload and download files to this system.


    Here is some info for the ISP:
    Everyones Internet, Inc.
    abuse@ev1.net
    +1-713-579-2850
    390 Benmar Suite 200 Houston TX 77060 US

    This could be Invisionzone......

    [​IMG]

    The following is information about Invisionzone.com:
    The following information refers to the network on which this system lies. This is useful information because it describes who you need to report to if someone on their network has been abusive. (How to effectively report network abuse)

    OrgName: Invision Power Services, Inc.
    OrgID: IPS-72
    Address: PO Box 24
    City: Evergreen
    StateProv: VA
    PostalCode: 23939
    Country: US

    NetRange: 67.15.107.0 - 67.15.107.63
    CIDR: 67.15.107.0/26
    NetName: EVRY-230
    NetHandle: NET-67-15-107-0-1
    Parent: NET-67-15-0-0-1
    NetType: Reassigned
    Comment:
    RegDate: 2005-02-02
    Updated: 2005-02-02

    OrgTechHandle: LTH22-ARIN
    OrgTechName: Throgmartin, Lindy
    OrgTechPhone: +1-434-352-4334
    OrgTechEmail: lindy@invisionpower.com

    Registration Service Provided By: Invision Power Services, Inc.
    Contact: lindy@invisionpower.com
    Visit: http://www.invisiondomains.com

    Domain name: invisionzone.com

    Registrant Contact:
    Invision Power Services, Inc.
    Lindy Throgmartin (lindy@invisionpower.com)
    +1.4343524334
    Fax:
    1115 Vista Park Dr.
    Suite C
    Forest, VA 24551
    US

    Administrative Contact:
    Invision Power Services, Inc.
    Charles Warner (charleswarner@mac.com)
    4343524334
    Fax: +1.4343528662
    P.O. Box 24
    Evergreen, VA 23939
    US

    Billing Contact:
    Invision Power Services, Inc.
    Lindy Throgmartin (lindy@invisionpower.com)
    +1.4343524334
    Fax:
    1115 Vista Park Dr.
    Suite C
    Forest, VA 24551
    US

    Technical Contact:
    Invision Power Services, Inc.
    Lindy Throgmartin (lindy@invisionpower.com)
    +1.4343524334
    Fax:
    1115 Vista Park Dr.
    Suite C
    Forest, VA 24551
    US

    Status: Locked

    Name Servers:
    ns1.ipslink.com
    ns2.ipslink.com

    Creation date: 15 Nov 2004 14:47:54
    Expiration date: 15 Nov 2005 14:47:54

    The system is running a mail server (ESMTP Exim 4.44 #1) on port 25. This means that this system can be used to send email.

    The system is running a web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 80 (click here to view it). This means that this system serves web pages.

    The system is running a secure web server (Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a) on port 443 (click here to view it). This means that this system serves encryped web pages. It therefore probably handles sensitive data, such as credit card information.
    There is no FTP server running on this system (the port is closed).

    Both have the same system specs.
     
  11. Cenobyte

    Cenobyte Sr Member

    Trophy Points:
    1,681
    I got it also this morning, but cleared the history before remembering to screenshot :(

    Just thinking of it, that it is random. Does NOT happen each time
     
  12. moffeaton

    moffeaton Master Member RPF PREMIUM MEMBER

    Trophy Points:
    3,860
    Leave Invisionzone... this is creepy stuff.
     
  13. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    I don't know about leaving yet, but they should be able to tell us why port scans are originating from the Invision servers. Have them take it up the chain of their support personnel.
     
  14. TK626

    TK626 New Member

    Trophy Points:
    2
    Amish (and anyone else experiencing this):

    Is it always the same two ports being scanned (2918,2920)? If so, this info could help invisionzone pinpoint the cause. A port scan in and of itself is nothing to worry about, "attack" is a poor choice of words in your firewall log. As an example of how benign a scan can be; in order to learn what you did about their server (that it is running a webserver and smtp server, but not an FTP server), you had to run a port scan against it, whether you realized it or not. Their firewall logs will now show that you have been port scanning them too, but I doubt you'd agree that you have been attacking invisionzone's servers. :) As you monitor over the next couple of days, if it is at all possible to say what you were doing when the alert triggered (which thread you were in, or if you weren't even active on the RPF), this could also help. Be as specific as possible.

    If it is always those two ports, they would be odd choices for malware or a hacker to target. One (2820) is used by a network monitoring tool (roboEDA). The second (2818) is used by a product... "Developed by Kasten Chase and certified by the U.S. National Security Agency, RASP Data Security is a comprehensive suite of data security solutions that provide robust, end-to-end data security for government."

    I.e., the software that would be listening on that port (if any) would be about the least likely route/method a hacker would want to attempt. :) Definitely stay on Invisionzone about this, my gut feeling is that it is incorrectly configured software at their end (esp. if it continues to show up at those two ports and not the more common ones).
     
  15. darthgoat

    darthgoat Well-Known Member

    Trophy Points:
    931
    I agree. Either they are breaching trust and port scanning or their security is compromised and someone is port scanning from their servers.
     
  16. Darbycrash

    Darbycrash Well-Known Member

    Trophy Points:
    705
    I think invision needs to check their code. Could be some kind of php hack as well. I don't know how much control you guys have over the code here. However I would be really jumping on invision for this. I am thinking if its doing a port scan right now it could be sending intelligence to someone. And I could only imagine what they are doing with that data.
     
  17. amish

    amish Sr Member

    Trophy Points:
    1,046
    I will have to check my logs to see if it is the same ports over and over. However, this has happened to me when I have been connected to the rpf and when I am not connected to the rpf. When I am not connected, it may come within 5 or 10 minutes after closing the site.

    It is not post related from what I can tell. It has happened more than what I have posted about here though. If it will help, I will gladly post a reply here and the ports each time it happens.

    I too dont believe it is an attack from invisionzone against me, however; it is a real annoyance and should be dealt with by them.

     
  18. amish

    amish Sr Member

    Trophy Points:
    1,046
    Thanks Dualedge, as always I sincerely appreciate the help.
     
  19. darthgoat

    darthgoat Well-Known Member

    Trophy Points:
    931
    Any news on this?

    This is a serious issue and Invision should be doing something.
     
  20. Prop Runner

    Prop Runner Sr Member

    Trophy Points:
    1,230
    How come some people are being scanned and others are not? I log on to the RPF from 3 terminals (home, client, girlfriend), all with different firewalls and security/privacy settings, and never get a port scan warning. Is it considered spyware? I have AOL and Norton System Works Professional 2004 - both run spyware checks and neither have ever reported this.

    - Gabe
     
  21. rocketeer25

    rocketeer25 Sr Member

    Trophy Points:
    2,146
    The staff has been and will continue to work with Invision on these kind of issues...

    The latest from Invision:

     
  22. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    Spoofing is entirely possible, wonder why it's just hitting amish though?
     
  23. amish

    amish Sr Member

    Trophy Points:
    1,046
    Kerr, others have reported it as well on the first page of this thread.

    Spoofing is a possibility, next time it happens, I will be sure to be on the ready to track the IP through hell and high water.
     
  24. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    Fair enough, but not many people are being hit by it. I haven't gotten any alerts, though there are several levels on my security that would block it even before getting to my computer. Do you have a hardware firewall, router, or any form of network?
     
  25. amish

    amish Sr Member

    Trophy Points:
    1,046
    Running Agnitum Outpost as my Firewall with a Linksys router w/ hw firewall
     
  26. Kerr Avon

    Kerr Avon Master Member

    Trophy Points:
    2,841
    Not really familiar with that firewall, still getting hit with it?
     
  27. amish

    amish Sr Member

    Trophy Points:
    1,046
    I havent experienced a hit in over a week, then again, I usually do all my browsing at work and only about an hour or two at home.

    Yes, I do work. I multi-task :)
     
  28. amish

    amish Sr Member

    Trophy Points:
    1,046
    Wanted to say I got hit last night with another scan, I will try and get the information later today. Sorry I did not post the info last night.

    Take care.
     
  29. amish

    amish Sr Member

    Trophy Points:
    1,046
    Update 10/11/05 (Today)

    IP Address 67.15.145.9
    Attacker DNS www.rpf.invisionzone.com
    Attack Type Port scanned
    Attack Time 3:01:24 PM EST
    Scan Port Details TCP (3884, 3883)
     
  30. amish

    amish Sr Member

    Trophy Points:
    1,046
    Possibly, by why would someone choose to spoof an IP from Invisionzone and why would the attack only come when I am connected to the RPF.
     
  31. amish

    amish Sr Member

    Trophy Points:
    1,046
    Its really no problem to me. I just want you to be aware of it in case it became a problem.

    Just trying to share :)
     
  32. amish

    amish Sr Member

    Trophy Points:
    1,046
    I have been wondering if it is some type of Ad thing. I cannot really explain it, and I am 99% sure my machine is spyware free, but being Ad related would make some sense.

    Besides, other members had the same problem so it could be just as simple as that.

    Hmmmm
     

Share This Page