Someone is Scanning my computer

  • Thread starter Thread starter Rainy
  • Start date Start date
R

Rainy

from this IP ADDRESS..192.151.52.187 how do I find out who is doing
this...is there a way, I have a firewall, which told me.. and 2 kinds of
anti spyware programs... and AVG.. I thought I closed all the ports...
should I be concerned about this? Rainy
 
lO8Jf.560973$084.187218@attbi_s22,
Rainy said:
from this IP ADDRESS..192.151.52.187 how do I find out who
is doing this...is there a way, I have a firewall, which
told me.. and 2 kinds of anti spyware programs... and AVG..
I thought I closed all the ports... should I be concerned
about this? Rainy
Click to expand...

Rainy,

Do you have an HP computer? How about an HP scanner or printer?
Searching for that address yields these results:

WHOIS results for 192.151.52.187
http://www.dnsstuff.com/tools/whois.ch?ip=192.151.52.187

It's possible that you have a program running in the background
that checks for updates from HP. Run msconfig and check the
Startup tab for entries related to HP.

Sounds to me like your firewall is doing its job just fine.

Nepatsfan
 
Fri, 17 Feb 2006 00:30:09 GMT from Rainy <rainydays38
@sweetwrapz.net>:
from this IP ADDRESS..192.151.52.187 how do I find out who is doing
this...is there a way, I have a firewall, which told me.. and 2 kinds of
anti spyware programs... and AVG.. I thought I closed all the ports...
should I be concerned about this? Rainy
Click to expand...


Visit http://grc.com -- scroll down and click on "Shields Up", follow
the instructions to close your ports.
 
My ports were all closed, :) at least now I feel better.. not sure how HP
scanned my computer, if I have this STEALTH classification.. :) Rainy

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,

----- Original Message -----
 
Did your firewall tell you if it was incoming or outgoing???
I bet HD printer/scanner/??? is trying to update itself.
Or one of the automated programs that HP placed on your system is trying to
check to see if you need an update.
peter
Rainy said:
My ports were all closed, :) at least now I feel better.. not sure how HP
scanned my computer, if I have this STEALTH classification.. :) Rainy

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,

----- Original Message -----
Click to expand...
 
It was incoming.. here is what the log said... it said those ports were
scanned, how could they if I have my ports closed off? maybe Sygate was
telling me they were trying to... ? There were two other attempts Rainy

Somebody is scanning your computer.
Your computer's TCP ports:
5001, 5002, 5004, and 5006 have been scanned from 192.151.52.187.

peter said:
Did your firewall tell you if it was incoming or outgoing???
I bet HD printer/scanner/??? is trying to update itself.
Or one of the automated programs that HP placed on your system is trying
to check to see if you need an update.
peter
Click to expand...
 
My ports were all closed, :) at least now I feel better.. not sure how HP
scanned my computer, if I have this STEALTH classification.. :) Rainy

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
Click to expand...

The "scan" may have been initiated by you. Well, not you personally but
some HP software that is installed and configured to automatically check
for updates.

Some programs check on a schedule. The schedule may or may not show up
under Scheduled Tasks since not all programs enter their information there.
Some check whenever you launch the program.

"Nice" programs have settings that let you control when - if ever - the
program will be allowed to do this on your behalf. The menus may be a
little buried (maybe the programs aren't so nice?) but can usually be
uncovered if you dig deep enough.

Most firewalls allow "solicited packets" - locally initiated requests.
Unfortunately, we're not always aware that they're being solicited.
 
right, it's one of the startup entries, so it is running in the bkg... I'm
assuming I can remove it from startup.. Im also assuming my printer will
still work if I do.. of course if it doesn't I will just put it back.. lol
rainy
 
Hello Nepatsfan
I just tried your link re dnsstuf - it comes up with a warning-

WARNING: You are using a web proxy that is currently being abused by
malware. Please go here for more details. The web proxy IP is 62.253.128.14.

Is this safe to go further????
Antioch
 
192.151.52.187
Click to expand...

From Arin Whois:
OrgName: Hewlett-Packard Company
OrgID: HP
Address: 3000 Hanover Street
City: Palo Alto
StateProv: CA
PostalCode: 94304
Country: US

NetRange: 192.151.1.0 - 192.151.84.255
CIDR: 192.151.1.0/24, 192.151.2.0/23, 192.151.4.0/22, 192.151.8.0/21, 192.151.16.0/20, 192.151.32.0/19, 192.151.64.0/20, 192.151.80.0/22, 192.151.84.0/24
NetName: HP-151-1
NetHandle: NET-192-151-1-0-1
Parent: NET-192-0-0-0-0
NetType: Direct Allocation
NameServer: ATLANTA.AMERICAS.HP.NET
NameServer: PALOALTO.AMERICAS.HP.NET
Comment:
RegDate: 1992-03-26
Updated: 2003-02-24

RAbuseHandle: NAR-ARIN
RAbuseName: Network Abuse Response
RAbusePhone: +1-650-857-5120
RAbuseEmail: (e-mail address removed)

RTechHandle: HH15-ORG-ARIN
RTechName: Hewlett-Packard Company
RTechPhone: +1-800-524-7638
RTechEmail: (e-mail address removed)

RTechHandle: AI2-ORG-ARIN
RTechName: Hewlett Packard Company
RTechPhone: +1-800-524-7638
RTechEmail: (e-mail address removed)

OrgTechHandle: HH15-ORG-ARIN
OrgTechName: Hewlett-Packard Company
OrgTechPhone: +1-800-524-7638
OrgTechEmail: (e-mail address removed)

Do you have an HP machine, or an HP Printer/canner?
 
It would appear that the site, www.dnsstuff.com, doesn't trust
your internet service provider. The warning directs you to this
site:

http://banned.dnsstuff.com/pages/abuse.htm

Here's the relevant portion of that web site:

******************************************************************
You use a web proxy that is abusing us: If you use a web proxy,
you are now sharing the same IP address with possibly thousands
of other people. If one of them abuses our site, you may get
banned. If this is the case, you should stop using the web
proxy. If you are forced to use a web proxy, you should
complain to whoever is forcing you to use it (they aren't
providing full Internet access!).
You should contact whoever is in charge of your web proxy (if
you aren't sure, contact your Internet provider) for
assistance. You should let them know that the web proxy at [IP
of your web proxy] is being abused and participating in a DDoS
attack (and may be an 'open web proxy'), and that they must fix
the problem. Searching the web proxy logs for 'netgeo.ch' will
definitely find the rogue hits (but could possibly find some
legitimate hits).
For web proxies owners: Yes, we do know what web proxies are,
and no, we are not blocking you because a lot of people access
our site through the web proxy -- we are blocking you because
you are providing web access to someone who is running malware
that is abusing our site.

One other option is to go to www.DNSstuff.com:8080, which may
bypass your web proxy. If it does, you won't be blocked
(unless, of course, you do something you shouldn't!).
**************************************************************

It would appear that you're not the first person to get that
warning. Here are a couple of posts from their user forum with
more info:

WARNING: You are using a web proxy that is currently being
abused by malware
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=780030&highlight=warning+proxy+abused+malware

Proxy Banned
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=609032&highlight=warning+proxy+abused+malware

The bottom line is that this site believes that someone is
attacking their web site through one of your ISP's servers. In
response, it's blocking any traffic from that proxy server.

I don't know what else to tell you other than as long as you're
confident that your system is free of any type of infection, I
wouldn't be worried about that message.

Nepatsfan

%[email protected],
 
You don't really need to worry about the actual scan. Your firewall is doing
its job and blocking the scan. If you come across another scan in the future
there's no need to worry as you run a firewall. If you look at anyones
firewall logs there will be scan after scan. Many years ago I used to chase
after the person scanning my computer but its just not worth it. If you just
want to find out about this scan, as someone pointed out its HP.
--
Please repost if you find the fault

Glen P
~~~~~~~~~~~~~~~~~~~~
Rainy said:
right, it's one of the startup entries, so it is running in the bkg... I'm
assuming I can remove it from startup.. Im also assuming my printer will
still work if I do.. of course if it doesn't I will just put it back.. lol
rainy
Click to expand...
 
Thank you Nepatsfan
I dont think I will bother - I use ntl cable b'band.
Rgds
Antioch
Nepatsfan said:
It would appear that the site, www.dnsstuff.com, doesn't trust
your internet service provider. The warning directs you to this
site:

http://banned.dnsstuff.com/pages/abuse.htm

Here's the relevant portion of that web site:

******************************************************************
You use a web proxy that is abusing us: If you use a web proxy,
you are now sharing the same IP address with possibly thousands
of other people. If one of them abuses our site, you may get
banned. If this is the case, you should stop using the web
proxy. If you are forced to use a web proxy, you should
complain to whoever is forcing you to use it (they aren't
providing full Internet access!).
You should contact whoever is in charge of your web proxy (if
you aren't sure, contact your Internet provider) for
assistance. You should let them know that the web proxy at [IP
of your web proxy] is being abused and participating in a DDoS
attack (and may be an 'open web proxy'), and that they must fix
the problem. Searching the web proxy logs for 'netgeo.ch' will
definitely find the rogue hits (but could possibly find some
legitimate hits).
For web proxies owners: Yes, we do know what web proxies are,
and no, we are not blocking you because a lot of people access
our site through the web proxy -- we are blocking you because
you are providing web access to someone who is running malware
that is abusing our site.

One other option is to go to www.DNSstuff.com:8080, which may
bypass your web proxy. If it does, you won't be blocked
(unless, of course, you do something you shouldn't!).
**************************************************************

It would appear that you're not the first person to get that warning. Here
are a couple of posts from their user forum with more info:

WARNING: You are using a web proxy that is currently being
abused by malware
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=780030&highlight=warning+proxy+abused+malware

Proxy Banned
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=609032&highlight=warning+proxy+abused+malware

The bottom line is that this site believes that someone is attacking their
web site through one of your ISP's servers. In response, it's blocking any
traffic from that proxy server.

I don't know what else to tell you other than as long as you're confident
that your system is free of any type of infection, I wouldn't be worried
about that message.

Nepatsfan

%[email protected],
antioch said:
Hello Nepatsfan
I just tried your link re dnsstuf - it comes up with a
warning-
WARNING: You are using a web proxy that is currently being
abused by malware. Please go here for more details. The web
proxy IP is 62.253.128.14.
Is this safe to go further????
Antioch
Click to expand...
Click to expand...
 
I'm not worried now... and my firewall has informed me before... this time I
just wanted to know if I was secure.. and once I got the first response, I
now know I am... thanks for the response.. Rainy
Glen said:
You don't really need to worry about the actual scan. Your firewall is
doing its job and blocking the scan. If you come across another scan in
the future there's no need to worry as you run a firewall. If you look at
anyones firewall logs there will be scan after scan. Many years ago I used
to chase after the person scanning my computer but its just not worth it.
If you just want to find out about this scan, as someone pointed out its
HP.
Click to expand...
 
This is HP's Website.
Most likely your computer is looking for printer or scanner updates.
No harm in this link ( other than Hewlett-Packard )
 
Back
Top