Security Issue? Anyone know anything about APS Telecom?

ATNO/TW
Super Moderator
Joined: May 28, 2003
Posts: 23407
Loc: Woodbridge VA
Status: Offline

March 18th, 2004, 6:01 pm

Some specs first:
Win2k OS
Siemens SpeedStream router with ZoneAlarm firewall
Symantec Corp Edition Virus protection
Adaware (ran frequently)
Comcast internet connection

Here's my original problem for reference: http://www.ozzu.com/mswindows-forum/ozzu-page-load-problems-resolved-ummm-resolved-again-t20431.html

The lag time in displaying pages on my home computer has been driving me nuts. I think it was yesterday I nixed a couple Adware/Spyware stuff via Adaware. Tonight, when I ran it I had only 10 tracking cookies from sites I visited today...nothing malicious.

Earlier, I was having the darndest time getting pages to load, not just at OZZU, but virtually anywhere I was trying to surf. At some point I got fed up and ran Netstat several times and identified APS Telecom had multiple time-wait active connections to multiple ports (almost in sequence -- below is a sample):

Quote:

Active Connections

Proto Local Address Foreign Address State
TCP master:1424 207.246.136.193:http TIME_WAIT
TCP master:1468 216.239.57.99:http ESTABLISHED
TCP master:1478 216.195.36.3:http TIME_WAIT
TCP master:1481 216.195.36.3:http TIME_WAIT
TCP master:1482 216.195.36.3:http TIME_WAIT
TCP master:1483 216.195.36.3:http TIME_WAIT
TCP master:1484 216.195.36.3:http TIME_WAIT
TCP master:1485 216.195.36.3:http TIME_WAIT
TCP master:1486 216.195.36.3:http TIME_WAIT
TCP master:1487 216.195.36.3:http TIME_WAIT
TCP master:1488 216.195.36.3:http TIME_WAIT
TCP master:1489 216.195.36.3:http TIME_WAIT
TCP master:1490 216.195.36.3:http TIME_WAIT
TCP master:1491 216.195.36.3:http TIME_WAIT
TCP master:1493 216.195.36.3:http TIME_WAIT
TCP master:1494 216.195.36.3:http TIME_WAIT
TCP master:1496 216.195.36.3:http TIME_WAIT
TCP master:1502 216.195.36.3:http TIME_WAIT
TCP master:1504 216.195.36.3:http TIME_WAIT
TCP master:1506 216.195.36.3:http LAST_ACK
TCP master:1509 216.195.36.3:http TIME_WAIT

C:\Documents and Settings\Administrator>tracert 216.195.36.3

Tracing route to 216.195.36.3 over a maximum of 30 hops

1 * * * Request timed out.
2 15 ms 16 ms 16 ms 10.171.168.1
3 15 ms 16 ms <10 ms 12.244.88.145
4 15 ms 16 ms <10 ms 12.244.65.5
5 16 ms 16 ms 15 ms 12.244.65.1
6 16 ms 15 ms 31 ms 12.125.176.121
7 32 ms 15 ms 31 ms gbr2-p70.phlpa.ip.att.net [12.123.137.26]
8 31 ms 16 ms 31 ms tbr2-p012601.phlpa.ip.att.net [12.122.12.109]
9 31 ms 16 ms 31 ms tbr1-cl9.wswdc.ip.att.net [12.122.2.85]
10 47 ms 16 ms 31 ms ggr1-p360.abnva.ip.att.net [12.123.217.1]
11 16 ms 31 ms 16 ms p11-0.pr01.iad01.atlas.psi.net [154.54.11.109]
12 31 ms 16 ms 47 ms p1-0.core02.dca01.atlas.cogentco.com [154.54.2.2
01]
13 31 ms 47 ms 32 ms p14-0.core01.atl01.atlas.cogentco.com [66.28.4.1
61]
14 47 ms 47 ms 47 ms p14-0.core01.mco01.atlas.cogentco.com [66.28.4.1
53]
15 47 ms 47 ms 31 ms p14-0.core01.tpa01.atlas.cogentco.com [66.28.4.1
42]
16 63 ms 62 ms 63 ms p5-0.core01.iah01.atlas.cogentco.com [66.28.4.45
]
17 94 ms 109 ms 94 ms p14-0.core01.san01.atlas.cogentco.com [66.28.4.6
]
18 93 ms 94 ms 109 ms p4-0.core01.lax01.atlas.cogentco.com [66.28.4.77
]
19 94 ms 94 ms 109 ms p14-0.core01.sjc01.atlas.cogentco.com [66.28.4.7
4]
20 94 ms 109 ms 94 ms g7.ba21.b005946-0.sjc01.atlas.cogentco.com [38.1
12.34.118]
21 * * * Request timed out.
22 * * * Request timed out.
23 * * 109 ms 216.195.36.3

Trace complete.

C:\Documents and Settings\Administrator>netstat

Active Connections

Proto Local Address Foreign Address State
TCP master:1752 209.66.122.99:http TIME_WAIT
TCP master:1753 209.66.122.99:http TIME_WAIT
TCP master:1760 209.66.122.99:http TIME_WAIT
TCP master:1761 209.66.122.99:http TIME_WAIT
TCP master:1762 209.66.122.99:http TIME_WAIT
TCP master:1768 209.66.122.99:http TIME_WAIT
TCP master:1769 209.66.122.99:http TIME_WAIT
TCP master:1773 209.66.122.99:http TIME_WAIT
TCP master:1775 209.66.122.99:http TIME_WAIT
TCP master:1780 209.66.122.99:http TIME_WAIT
TCP master:1782 66.102.7.99:http ESTABLISHED
TCP master:1783 209.66.122.99:http TIME_WAIT
TCP master:1786 209.66.122.99:http TIME_WAIT
TCP master:1789 66.102.7.104:http ESTABLISHED
TCP master:1790 209.66.122.99:http TIME_WAIT
TCP master:1791 209.66.122.99:http TIME_WAIT
TCP master:1792 209.66.122.99:http TIME_WAIT
TCP master:1795 http://www.cogentco.com:http ESTABLISHED
TCP master:1796 64.233.161.99:http ESTABLISHED
TCP master:1797 209.66.122.99:http TIME_WAIT

216.195.36.3 and 209.66.122.99 are both owned by APS Telecom. Google didn't provide much info. I ran tracert and NeoTrace and did a few whois searches and narrowed the abuse email to abuse@3fn.net

http://3fn.net is a private hosting service out of San Jose, CA, although APS Telecom appears to be from 1802 N Carson Street, Carson City, NV according to nic.com's whois search and NeoTrace results.

The second IP address appears to be owned by APS as a sub- IP range within Abovenet Communication's range.

I can't think of a reason for the life of me why a couple hosting services out of California/Nevada would have an IP that would have that many port scans going on on my computer? Any ideas? It was at those times tonight when the port scans were taking place that my internet connectivity was for crap.

"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

March 18th, 2004, 6:01 pm

grinch2171
Moderator
Joined: Feb 11, 2004
Posts: 6744
Loc: Martinsburg, WV
Status: Offline

March 18th, 2004, 6:48 pm

Spammer's maybe???? I wouldn't know of any other reason why you would be getting probed like that. You could bounce the Ip's off PeerGuardians list of naughty IP's? Not really sure how to do that though but it is a suggestion.

‎"Be polite, be professional, but have a plan to kill everybody you meet." Maj. Gen. James Mattis