Preserved Topic: Why would my ISP be scanning my ports? (Page 1 of 1)

I just picked up a possible TCP port scan (ports 49808-1080) and checked the source and it was from a subdomain (scanner.abuse) of my ISP.

Do you think they are just checking to make sure their users don't have trojans on their PCs (I have noticed quite a few scans from other address with the same ISP as me and they may be checking to make sure they aren't liable) or are they checking me out for some possible infraction of my ToS (I can't think what that might be)?

[edit: I suppose I could also have triggered some kind of automated scanning thingy.

DS - you are on the same ISP (Blueyonder) aren't you? Every experienced anything like that?]

Now I'm going to have to nose through my firewall logs and see if anything interesting crops up.

___________________
Emps

FAQs: Emperor

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

Hmmmm it seems to just some kind of routine check:

Message from tech support:

quote:

---

There is no way to stop the scans as they are part of procedures which are now in place to protect the newsgroups and ensure that customers with open ports who could be causing a problem are detected and dealt with ASAP.

---

here:
http://gaming.blueyonder.co.uk/forums/index.jsp?action=showpost&forum_id=139&topic_id=33785

and:

quote:

---

BY have started, and are continuing, to scan customers machines looking for machines with an open port 119. If found they're tested and if needbe contacted by abuse (if anyone on BY gets hit from scanner.abuse.blueyonder.co.uk, thats the scanner - it checks a few ports besides 119 - 1080 and 6588 according to my firewall logs).

---

from:
http://www.ctanet.fr/~sheflug/mailarchive/2002/05/msg00119.html

Is this common?

Should I be pleased I have a proactive ISP or worried about their spying?

I'm going with the former - if more ISPs did this then there would be less hassle from various nasties out there

___________________
Emps

FAQs: Emperor

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

InI: Thanks for that - interesting stuff. I suppose that I spotted it is a good sign and I ran a quick test of 'Shields Up' and 'Probe my Ports':
http://grc.com

and came up with the usual sparkiling bill of health although it doesn't actually say it has tested port 119 it does say it can't connect to my NetBIOS.

On port 119:

quote:

---

119

NNTP news

Network News Transfer Protocol, carries USENET traffic. This is the port used when you have a URL like news://comp.security.firewalls. Attempts on this port are usually by people hunting for open USENET servers. Most ISPs restrict access to their news servers to only their customers. Open news servers allow posting and reading from anybody, and are used to access newsgroups blocked by someone's ISP, to post anonymously, or to post spam.

Update: @Home has started scanning their subscribers to see if they are running USENET servers. They are doing this in order to find these servers and close them before spammers can take advantage of them.

---

from:
http://www.robertgraham.com/pubs/firewall-seen.html#port119

___________________
Emps

FAQs: Emperor

I wouldn't be hard on them Emps. I've been known to scan a port or two in my day.

Emp: Arrghhh sorry for the late helping.

Basicly you and InI has coverd it. It's to protect you and blueyonder getting in shit cus of your computer sending data that is classed as abuse.

It's nothing really, blueyonder does scans for open severs port and computer ports, which can lead to abuse of you computer. From what I can get from my dad (I go through my dad computer for net, so he getting all the log and crap.) it's just a scanner for open ports, if any found then I think blueyonder conact you or just watch for active data form them ports.

If any problems look in there newsgroups (which you have done), that's where my dad goes when things go tit's up with the connection .

COPEY

Copey la': Cheers - it was really just an accident that I spotted it at all as I don't nose through my logs as much as used to

I started a FAQ on this as I noticed quite a few people were asking similar questions out there:

Why is my ISP scanning my ports?

___________________
Emps

FAQs: Emperor

I may be trying to teach my granny t suck eggs here ... but unwanted port scans ammoy the hell out of me ... So ...

If you don't enjoy these port scans, you may not be able to actively stop them, but you can do something to annoy their scanning software in a lot of cases. Try setting your firewall default queue action to DROP instead of DENY. That way, any offending packets are just ignored (i.e. dropped) and since there is no denial packet sent out to the probing software, it has to wait for its timeout period before it tries the next port (nobody decent doeas a flood probe). If more people did it, they'd get the message.

I don't know about Windoze, but it sure works sweetly on ipchains and iptables under Linux.

trib: Will that affect my stealthy online status? - current scans slip off as if this computer were covered in Teflon.

___________________
Emps

FAQs: Emperor

As long as we're discussing Shields Up and "stealthed" ports, does anyone have enough solid knowledge to tell me which of these sites has more reliable information?
www.grc.com www.grcsucks.com

PT: Interesting question. I suppose you shouldn't ever rely on anyone person's advice online (unless its mr.maX).

This looks to be a good list
http://cable-dsl.home.att.net/index.htm#CheckSecurity

___________________
Emps

FAQs: Emperor