| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Retired Forums
Forum: The New Members Forum [Read Only]
Thread: Since I joined I get Portscans from IBM Almaden |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 32
|
|
| Author |
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Anyone else?
Since i installed the client i get randomly scans on my (allways connected) PC. This scans never happened before. Scans come from IBM Almaden research center computers and are from UDP Port 33434 upwards. The interesting thing is, that there are more than 1 IBM IPs scanning and every IBM IP scans 4 to 8 Ports before the next begins. I am on a German ISP (Telekom DSL) with daily changing IPs. Any suggestions? here are screenshots: http://www.8ung.at/computerprofi/scan.jpg http://www.8ung.at/computerprofi/scan2.jpg I wrote IBM, but i didn`t got answer. Thanks. whois: 129.33.82.49 whois.arin.net OrgName: IBM Almaden Research Center OrgID: IARC Address: 3039 Cornwallis Rd. City: Research Triangle Park StateProv: NC PostalCode: Country: US NetRange: 129.33.0.0 - 129.33.255.255 CIDR: 129.33.0.0/16 NetName: IBM-ALMADEN NetHandle: NET-129-33-0-0-1 Parent: NET-129-0-0-0-0 NetType: Direct Assignment NameServer: NS1.RALEIGH.USF.IBM.COM NameServer: NS2.RALEIGH.USF.IBM.COM Comment: RegDate: 1989-06-22 Updated: 2001-01-30 TechHandle: ZI22-ARIN TechName: IBM Corporation TechPhone: +1-607-755-3809 TechEmail: noc@ibm.com |
||
|
|
USA
Advanced Cruncher Joined: Nov 22, 2004 Post Count: 107 Status: Offline |
Hello laberhannes
----------------------------------------Welcome to the Forum.  I must have read you post ten times, looking for a Question. All I came up with is that you may not want to be port scanned by IBM. We all hook up to them now don't we? Through WCG? I've had the same "IP addy" for years and get scanned, crawled, probed all the time. From AltaVista to hackers to Fed-govt and Yahoo. (Hosting a website) The scans seem normal to me..... Nothing bad has happened to you that I know of..... Please explain the trouble or problem you have in more detail. Join "USA" Robert [Edit 1 times, last edit by USA at Nov 28, 2004 2:14:50 AM] |
|||
|
||||
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
I first heard of this earlier today in the following post from TaoWarrior:
" Re: Help with Connection Problems ok well did some searching, it looks like 129.33.82.49 which is an IBM registered IP is trying to come in on a blocked UDP port, I have ports 114, and 80 open for world community grid but I am not going to nor should I need to open any UDP ports for this. If this is the problem then you need to either change the server settings or count me out. Saturday, November 27, 2004 12:07:55 PM Unrecognized access from 129.33.82.49:41801 to UDP port 33457 Saturday, November 27, 2004 12:07:56 PM Unrecognized access from 129.33.82.49:41801 to UDP port 33458 this is about the time that WCG started it's most recent attempt to update. Guessing 129.33.82.49 is WCG but why is it trying to come in on a UDP port? TaoWarrior [Nov 27, 2004 5:19:43 PM] " This is something new, and I feel certain it is not authorized. Any experienced Netizen would feel uneasy. Looks like somebody has a zombie scanning the World Community Grid. |
|||
|
||||
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
hi USA and all,
there are some special things about this "portscan". first, it is UDP. then, this one comes from different PCs out of one net IBM). normally you have those scrippt kiddies scanning all over the day with many different IPs. then, there are only special ports scanned, beginning with 33434 up. and at least, they scan only 4 to 8 ports per IP. normally, when you do a portscan, it goes up on the lowest port scanning it up to 65000. so, when you call this a portscan like all the others happen, you would not see me doin this post. there is no question about making a port free for the rosetta program to get connected. but this scans are additional to that. i am not paranoic about that scan, but this systematic sort of UDP scan is completely new for me, and i`m with logged firewalls since 2001. i never saw somethimng like this in my logs before. greetings from germany, tom |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
@lawrence:
my pFW blocked those scans, but the grid programm _did_ get a new job. so in my suggestion this can not be something for the grid programm itself or its data handling. do you have a link to this posting? tom |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
laberhannes, here is the thread that first mentioned the port scans: http://www.worldcommunitygrid.org/forums/wcg/viewthread?thread=692
I do not know what sort of hole they are looking for at that address. Anybody reading this who follows Computer Security issues have an idea? |
|||
|
||||
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
thank you.
not much information. :( since UDP is a non-reliable protocol (see google for special info) i cant imagine that they do any data-connection over UDP for the grid. (and why this would be with different machines.) i must wait till tomorrow to see my statistics if the first job has been received. thank you anyway. tom |
||
|
|
Alther
Former World Community Grid Tech United States of America Joined: Sep 30, 2004 Post Count: 414 Status: Offline Project Badges: 
|
hi USA and all, there are some special things about this "portscan". first, it is UDP. then, this one comes from different PCs out of one net IBM). normally you have those scrippt kiddies scanning all over the day with many different IPs. then, there are only special ports scanned, beginning with 33434 up. and at least, they scan only 4 to 8 ports per IP. normally, when you do a portscan, it goes up on the lowest port scanning it up to 65000. so, when you call this a portscan like all the others happen, you would not see me doin this post. there is no question about making a port free for the rosetta program to get connected. but this scans are additional to that. i am not paranoic about that scan, but this systematic sort of UDP scan is completely new for me, and i`m with logged firewalls since 2001. i never saw somethimng like this in my logs before. greetings from germany, tom World Community Grid only uses TCP ports 80 and 443 and communications are always client initiated. Our servers never initiate connections to the clients. Think about it. A lot of computers are behind firewalls (corporate and personal) and WCG would fail miserably if it relied upon server initated connections. However, this information is very interesting. The IP addresses are definitely IBM owned (assuming they're not spoofed). Also, due to the nature of the "scan" I wouldn't call this a scan at all. Infrequent knocks on a few high UDP ports is not a typical scan looking for security vulnerabilites. This looks suspiciously like a traceroute to me. Why this is occurring, I don't know. An inquiry has been sent to the network security folks asking what this might be.
Rick Alther
Former World Community Grid Developer |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
HI!!
A few minutes after I installed WCGA I got these messages from my firewall. This cannot be right!? IBM, what are YOU doing? My log from my firewall: Category: Intrusion Detection Date,User,Message,Details 2004-11-28 12:40:10,Supervisor,Intrusion detected and blocked.All communication with 129.33.82.53 will be blocked for 2680 minutes., Intrusion detected and blocked.All communication with 129.33.82.53 will be blocked for 2680 minutes. 2004-11-28 12:40:10,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 129.33.82.53(46510). Risk Level: Medium. Protocol: UDP. Attacked IP: NONAME(xxx.xxx.xxx.xxx). Attacked Port: 33462." 2004-11-28 12:36:44,Supervisor,Intrusion detected and blocked. All communication with 129.33.82.51 will be blocked for 2680 minutes., Intrusion detected and blocked. All communication with 129.33.82.51 will be blocked for 2680 minutes. 2004-11-28 12:36:44,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 129.33.82.51(42959). Risk Level: Medium. Protocol: UDP. Attacked IP: NONAME(xxx.xxx.xxx.xxx). Attacked Port: 33463." 2004-11-28 12:33:02,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 129.33.82.52(46508). Risk Level: Medium. Protocol: UDP. Attacked IP: NONAME(xxx.xxx.xxx.xxx). Attacked Port: 33462." 2004-11-28 12:33:02,Supervisor,Intrusion detected and blocked. All communication with 129.33.82.52 will be blocked for 2680 minutes., Intrusion detected and blocked. All communication with 129.33.82.52 will be blocked for 2680 minutes. 2004-11-28 12:26:30,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 129.33.82.50(43290). Risk Level: Medium. Protocol: UDP. Attacked IP: NONAME(xxx.xxx.xxx.xxx). Attacked Port: 33462." 2004-11-28 12:26:30,Supervisor,Intrusion detected and blocked. All communication with 129.33.82.50 will be blocked for 2680 minutes., Intrusion detected and blocked. All communication with 129.33.82.50 will be blocked for 2680 minutes. 2004-11-28 12:19:38,Supervisor,Intrusion detected and blocked. All communication with 129.33.82.49 will be blocked for 2680 minutes., Intrusion detected and blocked. All communication with 129.33.82.49 will be blocked for 2680 minutes. 2004-11-28 12:19:38,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 129.33.82.49(41876). Risk Level: Medium. Protocol: UDP. Attacked IP: NONAME(xxx.xxx.xxx.xxx). Attacked Port: 33456." |
|||
|
||||
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Whoever it is has no official connection with the World Community Grid. I am almost feeling left out. I have had only 3 touches over UDP in the last 3 weeks; none like other people are reporting.
|
|||
|
||||
|
|