Ports scanner activity reported by router

[DAMIEN1307]

This last week, ive been having what i believe is external entities from possibly both Japan and Australia doing repeated scans of my ports which of course are not be responded to and dropped by my router...can anyone tell me anything about this at all...this has happened in the past and then not a peep for as long as a year and then just happens all over again...who ? what ? where ? when ? why ? how ?...its always dropped by the router, just disturbing to me and would like to know more about this type of thing happening...the following below is just from yesterday late morning till late night, had already erased the other attempts throughout the days before, and they are always started with the same address of 196.52.43.xx, only the last numbers are different...appreciate any and all info you can share...DAMIEN

Jul/31/2018 11:20:29 SYN with Data from IP 196.52.43.97 port 10233 to IP 24.xx.xxx.xx port 3389 dropped
Jul/31/2018 14:10:48 SYN with Data from IP 196.52.43.65 port 10397 to IP 24.xx.xxx.xx port 3389 dropped
Jul/31/2018 21:14:50 SYN with Data from IP 196.52.43.128 port 10978 to IP 24.xx.xxx.xx port 22 dropped
Jul/31/2018 22:57:28 SYN with Data from IP 196.52.43.118 port 19698 to IP 24.xx.xxx.xx port 502 dropped

of course i have substituted the actual numbers with Xs on my own IP address

[trytip]

it's your internet provider? https://tools.tracemyip.org/lookup/196.52.43.97 LogicWeb Inc. ?

[gm10]

.who ? what ? where ? when ? why ? how ?...

Port scans are constantly happening all over the Internet to find attack surfaces (e.g. the first port is for remote desktop connections). Usually it's automated, botnets are big business. It's unlikely to be a targeted attack at you. Only once open ports are found, expect a bunch of targeted probes some time later, hammering you will all the known exploits for the server behind that port.

It's why you got those experiements how few minutes it takes an unprotected Windows XP to get owned as soon as you connect it to the Internet. It's not many.

[DAMIEN1307]

hi trytip hi gm10...to the first answer from trytip...definitely no my IP provider ive tracked those address to both australia and japan (also take note that maybe you should try using ublock origin on your system)...the tracemyip.org you suggested is in itself a known tracker according to ublock...thanks for answer though...DAMIEN


"uBlock Origin has prevented the following page from loading: thanks for answer though...

https://tools.tracemyip.org/lookup/196.52.43.97

Because of the following filter

||tracemyip.org^

Found in: hpHosts’ Ad and tracking servers"


question for gm10 ?...if not targeted directly for me, why is it using my unique IP address ? and not the more generalised address of my IP provider ? and why can i go months to a year (keep in mind that my router always reports when this happens) before the exact same sites as evidenced by these 196.52.43.xx, etc addresses try again and again...just asking...DAMIEN

[gm10]

, why is it using my unique IP address ? and not the more generalised address of my IP provider ?

I really don't understand what you mean by that. 24.x.x.x is not a reserved IP block, so that's your public IP they were connecting to.

and why can i go months to a year (keep in mind that my router always reports when this happens) before the exact same sites as evidenced by these 196.52.43.xx, etc addresses try again and again...just asking...DAMIEN

Because they are busy going after other nodes? It's a weird question to ask, be happy they don't have a higher frequency I guess.

[DAMIEN1307]

would that also be true when my Internet connection has no Reverse DNS ?
IP addresses are associated with a DNS machine name. (mine is not.) My machine name cannot be retrieved from my IP address...
Reverse DNS is supported by Internet service providers, no such lookups are possible with my current Internet connection address...My Internet connection has no Reverse DNS...DAMIEN

ps...10 more attempts made just in the time that i started this post till now...all "attacks" are now being directed to port 3389 which is an old win xp exploit for trying to gain remote access to a given machine (my port 3389 as well as all others declare themselves to be in "stealth" mode.)

[gm10]

DNS has absolutely nothing to do with this, not even a little bit.

[trytip]

yes they have logs but no trackers, everything logs you including google and mint but i don't see anything malicious. i'm sure i could have used a different site if i searched more sorry to scare you the only thing i see is that googlesyndication is here but nothing unusual and it's blocked by most blockers.

[DAMIEN1307]

Code: Select all

ajax.googleapis.com✖

chart.googleapis.com✖

googleads.g.doubleclick.net✖

fonts.googleapis.com✖

google-analytics.com✖

www.google-analytics.com✖

google.com✖

accounts.google.com✖

adservice.google.com.au✖

apis.google.com✖

books.google.com✖

calendar.google.com✖

checkout.google.com✖

clients1.google.com✖

clients6.google.com✖

consent.google.com✖

cse.google.com✖

developers.google.com✖

docs.google.com✖

drive.google.com✖

feedburner.google.com✖

feedproxy.google.com✖

fusiontables.google.com✖

groups.google.com✖

kh.google.com✖

khms0.google.com✖

khms1.google.com✖

khms2.google.com✖

khms3.google.com✖

khms4.google.com✖

labs.google.com✖

maps.google.com✖

maps-api-ssl.google.com✖

mapsengine.google.com✖

mt0.google.com✖

mt1.google.com✖

mts0.google.com✖

mts1.google.com✖

mw1.google.com✖

mw2.google.com✖

news.google.com✖

picasaweb.google.com✖

play.google.com✖

plus.google.com✖

sites.google.com✖

spreadsheets.google.com✖

talkgadget.google.com✖

translate.google.com✖

trends.google.com✖

video.google.com✖

www.google.com✖

www.googleadservices.com✖

pagead2.googlesyndication.com✖

www.googletagmanager.com✖

www.googletagservices.com✖

lh3.googleusercontent.com✖

lh5.googleusercontent.com✖

imasdk.googleapis.com✖

maps.googleapis.com✖

storage.googleapis.com✖

all google is blocked here...no google accts as well as blocking all google trackers manually when im on line to websites etc...if any message tells me google is required, i do not bother...im really anti tracking...same with fakebook, instagram, twitter etc...im even blocking all referers to your imgur pic as well as post of ublock log and that gold line you have all created with imgur.com...my system reports them as trackers, i can see the pics etc while blocking their tracking capabilities...lol...DAMIEN

Wed, Aug 1 13:03:05:
requested: https://i.imgur.com/F8VqT0E.jpg
matched filter: < default action > - blocked referer.

Wed, Aug 1 13:02:40:
requested: https://i.imgur.com/F8VqT0E.jpg
matched filter: < default action > - blocked referer.

Wed, Aug 1 13:02:40:
requested: https://i.imgur.com/RcCyvVu.png
matched filter: < default action > - blocked referer.

Wed, Aug 1 13:02:40:
requested: https://i.imgur.com/1G7crCd.gif
matched filter: < default action > - blocked referer.

[DAMIEN1307]

hi gm10...i guess i have to be missing something here when you said, "DNS has absolutely nothing to do with this, not even a little bit."...i do not claim to fathom all here but if DNS, IP address etc. have nothing to do with each other, than why the below posted from GRC.com when i just tested this system, where he refers to both DNS and IP addresses in the same breath ? im not trolling here, im trying to understand this and have not had anyone to explain this to me as of yet where i can get a clear and concise comprehension thereof...DAMIEN


report below from GRC.com, steve gibson...

Your Internet connection has no Reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.

When present, reverse DNS is supported by Internet service providers. But no such lookups are possible with your current Internet connection address (24.xx.xxx.xx). That's generally a good thing.

[gm10]

I was saying someone port scanning you has exactly zero to do with possible privacy concerns about your hostname.

[jimallyn]

..if not targeted directly for me, why is it using my unique IP address ?

Because they start at 0.0.0.0 and work their way through 255.255.255.255.

[trytip]

@DAMIEN1307 i guess you think your tinfoil hat is bigger than mine. i don't mind it. tell me this though, you are now so paranoid about blocking things you can't research an ip address because every tool you need is being blocked. there's traceroute in synaptic

[DAMIEN1307]

no...i really dont block anything out of paranoia...i block, 1st of all because everything takes extra time to load up on webpages...2nd reason is now at my age i am just sick and tired of advertisers trying to shove their crap down my throat because they try to convince people they cant live without their crap...im retired, on a fixed income, im not going to buy crap i just dont need,...plus i build my own computers etc...they do not own it, I DO...microsoft tried that with windows 10 taking over the systems, sent me running to linux...the day that i cant block anymore crap is the day you will see me take all my computers outside and just shotgun them to death...so as you see, its not tin hat paranoia that drives me...its pure anger, rage and disgust at being infringed upon not only by this crap but even by telephones with cold callers trying to scam me claiming they are "windows support" or others calling with their "surveys" and "questioneers" or soliciting money for this or that "cause" etc...im on the DNC list and they ignore it...im going to join catweazel as his apprentice...he is the "Official Curmudgeon in Chief"...im striving now to be the "Official Curmudgeon in Training"...lol...ahhh...now i feel better...nothing like a morning coffee and rant to start off the day...lol...DAMIEN

ps trytip...i can and do reach what i want on the internet...if their in league with the corporate crap thats doing the above, i do not need to access their sites...its just that simple with me...i do not need their aggravation...its that crap that has contributed to my heart attacks and strokes

pss jimallyn and gm10...for someone not being purposely targeted from last night to this morning...over 200 attempts recorded on router, all successfully dropped, so i guess this must be normal for everyone then...???

[trytip]

i know what you mean. i have my sense of security and you have yours. i'm sure we meet somewhere in the middle. i am curious if you have solved the issue of sites not detecting you are using a blocker ? https://browserleaks.com/proxy



there are tweaks you can add to ublockO without needing the extra two extensions required to actually do this

[DAMIEN1307]

not quite sure of what you are asking...you wrote, " i am curious if you have solved the issue of sites not detecting you are using a blocker ?"...DAMIEN

[trytip]

does https://browserleaks.com/proxy detect your ublock?

[DAMIEN1307]

yes...it does detect it...DAMIEN

uBlock filters
uBlock filters – Badware risks
EasyPrivacy
Peter Lowe's list
Fanboy's Anti-Facebook List
MalwareDomainList.com Hosts List
MVPS HOSTS
hpHosts
Dan Pollock's hosts file

[trytip]

here are instructions to make ublock undetected and add function of bitcoin mining

go to https://jspenguin2017.github.io/uBlockProtector/

scroll to the bottom of the page where: Extra installation steps for uBlock Origin
follow instructions and click step 1: 2: 4: 5: (the lists will automatically be added to ublock) special info how to add step 3:

now for bitcoin miner block go to: https://github.com/hoshsadiq/adblock-nocoin-list
scroll to where says: Then click or import below link into your adblocker it will add a new nocoinlist blocker

test your ublock again at: https://browserleaks.com/proxy and if done correctly everything will be not detected

[DAMIEN1307]

hi trytip...that was a neat little nifty, gifty for ublock origin...many, many thanks for that one ...lol...next question though...im already using "minerblock", (minerBlock offered by CryptoMineDev), with the chromium browser w/ startpage search engine...is the additional bitcoin mining blocker even necessary ???...will wait for answer to this one...(have not had any "miners" show up at all as of yet)...and the other question is THE STEP 3...i do not understand what this does or if i even need to do this...ublock no longer shows as being detected without implimenting step 3 so need further info of this...and yes, love the idea of ublock being "incognito"...DAMIEN