I just bought a new (used) laptop from a friend - now I am getting
port scans from the user that XP Pro is registered to.  I want to
contact them to find out what the deal is.  I have my zone alarm pro
log files to help you out.

---

Request for Question Clarification by secret901-ga on 04 Aug 2002 11:50 PDT

What is your question?  Don't you have the contact information of the
person that the computer is registered to?

---

Clarification of Question by icmp-ga on 04 Aug 2002 12:51 PDT

sorry I'm new to google questions. I think I have to wait until monday
when Dell's tech support opens to ask them who this laptop is
registered to.  The problem is when that I looked on the bottom of the
machine, the white label with the serial # had been removed.  I think
I may have answered my own question, and will take the matter up with
Dell, and go back and visit the person I bought the machine from on
monday.  Thanks for your time, I'll cancel this question soon.

---

Clarification of Question by icmp-ga on 04 Aug 2002 13:40 PDT

If anybody knows how to find out who this IP: 24.112.29.153  is
assigned to at the moment I would be very happy - although they are
dynamic addresses, our cable company assigns them typically to each
customer for a month or more.
I called Rogers (the cablemodem company) and they said I'd have to get
the police involved, they cannot release info.  what do I DO?

---

Clarification of Question by icmp-ga on 04 Aug 2002 14:05 PDT

Additonal info on the person I need to locate:

info from the XP my computer properties box:

registered to:
METAMORPHIC
INTRANCE
55274-640-0000356-23417

That IP currently resolves to
CPE000393860552.cpe.net.cable.rogers.com.  If you want to keep from
seeing these alerts, you need to install a firewall and block the
specific portscans from this address.  You may be able to convince the
rogers company to assign this particular problem user a static IP so
that you do not have to block the entire ISP, but in situations like
these, especially if it is a mere port scan and not a DoS attack, they
may or may not be cooperative.  I personally recomment SyGate firewall
although there are many many options on firewalls, including ones that
are not quite as complex; these may be more suited in your situation
since you are solely concerned with a portscan and blocking a specific
person.  These firewalls can be configured to 1) block the specific
port and/or 2) block the ISP (or if you can get the ISP to be
cooperative, the static IP).

As for finding out who the person actually is, Rogers is correct in
saying that since no DoS attack is being performed, they have no legal
(or moral) obligation to tell you who owns the specific account; in
fact, they would be violating that person's privacy.

Hope this helps.

http://www.sygate.com
http://www.tinysoftware (tiny firewall)

Here's an interesting article on how firewalls work:
http://www.pcworld.com/hereshow/article/0,aid,17012,00.asp

---

Clarification of Answer by ufphoenix-ga on 04 Aug 2002 15:06 PDT

Sorry about that link, it should be
http://www.tinysoftware.com

How did you know that the person performing the port scans were the
person who registered your computer?

The best way that I have found to trace IPs on the internet and get
more information about the offending computer is to go to www.arin.net
and from there, click on the Tools link, then click on the text-only
whois link and type in the IP address and click on the submit query
button.  This will tell you who the IP is registered to.  To
(possibly) find more information about the IP at the time the scanning
occurred, you can (if on a Windows computer) open a command prompt and
try a ping using the -a switch on the IP address.  The command string
would look like ping -a 10.128.1.1 or whatever the IP address would be
at the time.  You can also use the tracert command on a windows
computer to follow the path that would be needed to connect your
computer to the offending computer.  On a *NIX computer (UNIX, Linux,
etc), the ping command works the same, but you use traceroute instead
of tracert to trace it.  There are applications that can be found on
the internet that will actually map out the approximate location of
the source IP as well, but it has been a long time since I've looked
for them.  Also, depending on your internet connection, the port
scanning would most likely be from some script kiddie using some
application to try and find insecure computers that they can drop
"zombie" applications on the computer.