View Full Version : Black Orifice scan from ops.athome [????]

03-05-00, 01:53 AM
Man, I thought this was odd. Is this common as well?

03-05-00, 09:20 AM
?.....I doubt its from @home themselves..I get that scan sometimes too. From all over the place. Maybe someone hopping onto AT&T's pipline somewhere. That way you don't know were its really comming from....Arn't you glad your using something like BI?

03-09-00, 10:37 PM
Actually, @Home does scan your ports like crazy. I run Port Sentry on my machine and it logged them 15 times in one day scanning various ports. I called their tech support people and asked why they were scanning my ports, and they said that they want to make sure that @Home users aren't running server type services. My reply, "But 15 times in 24 hours!!!!"

So, I added their scanning server's IP to my reject/deny list--now I can run a server and they won't know.

If they call me to bitch about it, I'll tell them for $40 a month I don't want my ports scanned--but, if you knock $20 off I'll let you scan to your hearts content!

[This message has been edited by Stu (edited 03-09-2000).]

03-11-00, 01:54 AM
If any of you read the AUP, you'll see that they CANNOT run these scans, which is according to their own policy. The upstream cap was implemented, and that virtually eliminates the option of runing a server. Besides, @Home has admitted that they are able to monitor for servers without the upstream cap.

I called @Home tonight and shredded 2 of the tech support people. Still waiting for the supervisor to call me back, although I doubt it will happen. He tried to tell me that what I quoted verbatim from the @Home AUP and applied to what they were doing was my interpretation of the AUP. Well, the AUP does not include any statement which would grant them permission to perform illegal system scans, as well as invade my privacy. So, that basically states that @Home is in constant violation of their own AUP, and something needs to be done. For users to just ignore these things is wrong. By installing something simple like BlackICE or ZoneAlarm, you can log these attacks and add to the pressue against the IPSs who are performing these scans.

As for the Back Orifice ping, I received a couple as well a few days ago.

When I sprung that surprise on the tech, he had no response. As for the other ones, a previous tech (L1) tried to feed me this bull that they perform the scans to verify connectivity. Bull$hit. They can ping the modem to verify connectivity, or perform a host of other functions besides NNTP port probes and Back Orifice pings to verify connectivity. They're lying through their teeth.


03-11-00, 06:54 AM
Addikt, maybe I'm missing something, but what would be the point of @home running a Back Orifice probe?
Its well known that they have started running an NNTP probe. @home is on newgroup probation. http://www.speedguide.net/ubb/biggrin.gif While I too believe that @home is in violation of their own AUP, I also would be pissed if I lost my newsgroup cuz a small group of jerks were abusing the system.

03-11-00, 12:07 PM
With everything @Home blocks access to in the newsgroups (anything controversial), I'm not the least bit concerned about losing them through @Home. I use an earthlink account to do my newsgroup surfing. While it is a bit slower than going directly through an @Home server, nothing is blocked.

I think I'm missing something here. @Home is in hock for the newsgroup stuff, but what exactly are they going to accomplish by running NNTP port probes? Ooh, I use part of their service! Let's call the FBI! They are run every 4 hours (2 within .4 seconds), and only between say 7am and 6pm. Personally, I do my newsgroup surfing in the middle of the night anyway.

Does this mean they are going to start running http (80) probes, or pop3 probes? They damn well better not.

The bottom line here, is that they are in violation of their own policy, and the reasons they tried to give me were absolutely ludicrous. It sounds as though some here are trying to excuse their actions. I guess to some privacy isn't as important.


03-19-00, 04:12 AM
Umm, Hi...
I would suspect, and don't quote me on this, that they have serious concerns about people on their system being attacked by BO. In order to prevent THEIR systems from being used in unauthorized ways, they need to find out who has a BO master/slave client running, and either warn the user, or shut them down. The same applies for the NNTP scans. It's not so much that they care what you're doing, but that they don't want to be the middle guy if someone else tries to use your system as a NNTP spam or BO controlled machine for something that might have repercussions for them.

I'm not saying I support it, but as someone who works for an ISP, I can appreciate their concerns. Like it or not, most folks are NOT as cognizant as most of the folks here, so @Home has to act as their mommy and check these things for them. (shrug)

The other option, of course is to simply close these ports inbound/outbound on their routers. That will stop BO, but it'll also kill news access unless they set up a inside news server and deliver it from there. In fact, I'm surprised they haven't simply set up port redirecting tunnels for their own servers, and be done with it.


"Yeah Baby, YEAH!!!"

03-19-00, 09:02 PM
Ok Bouncer. That might explain it. I never thought about that. I have only recieved one BO probe from @home since I've loaded BI. I've seen a few from other address's.
Thanks for the post. http://www.speedguide.net/ubb/biggrin.gif