[Constant Portscan, HELP!] -


Constant Portscan, HELP!

Discuss Constant Portscan, HELP!


Posted by: James

Im having a constant portscan from a network address in my company that is unknown to me. Need to know the computer name of the source. Is there any ways to find out about it? Please help... tks.


Posted by: Escher

First of all, I suggest you close all open ports, which are often dormant.

Second, There is a program I will recommend.

|| Lockdown200

[url]http://www.lockdown2000.com[/url]

Why?

Because this will give you the IP of the computer which is running the portscan program, and so with that you should be able to critically understand how IPs are assigned and figure out the computer. Could be a virus too.


Posted by: gruntwerk

windows based machines :
at a command prompt :
tracert ipaddress

Linux : /usr/sbin/traceroute ipaddress


Posted by: tech4hire

have you ran the patch for the blaster worm, Also it could just be your ISP. A lot of those are just broad cast scans and not directed at your computer.


Posted by: James

I managed to find out that its my domain controller of the company that is doing the portscan, however, a check with the documentation reveal that it shouldnt take place at all. Obviously, its a manual attempt by some unknown personality in the company.

Also, the following things took place whilst this portscan was initiated.

A jolk attack was detected by my firewall in the LAN.
A fragment attack was also detected.
My Laptop was bugcheck.
After 1 hr of failed attempt to portscan me, my LAN was disabled.

I just joined the company as a system administrator a few weeks ago and the domain controller is in my control.... yet, such things happened. THus, i suspect it to be an insider job. Is it possible for me to detect the person who is using the server to do the portscan? Also, im aware of some programmes where you can reboot the computer from a network plus banning the MAC. Is there any methods of policy which i could configure to prevent all these from happening?

My main suspicion is a hacker from an external network who may have gained control to my DC...


Posted by: chesman

what is the OS you are running?


Posted by: James

My Computer is running XP Pro. The DC is W2K Advance Server.


Posted by: Campee

I suggest you install some firewall software on that server that will monitor inbound and outbound traffic. I suggest you try Kerio Personal Firewall. That way you can monitor the portscans and disable the computer's ability to send them.


Posted by: chesman

well win2k should have a netowrk monitor built in which is basivclly a packet sniffer. So you should be able to watch the network and se where everything is coming from.


for a better network monitor and what not you can always install SMS 2.0


Posted by: James

Im sorry, not quite clear abt wht you had said. Disable who's computer to send wht? As at current, im using Mcafee Firewall V3.0, and is picking up those intruders traffics. NetMon by MS aint that good. Where can i find that SMS2.0?


Posted by: Bleep

SMS 2.0

[url]http://www.microsoft.com/smserver/evaluation/previous/default.asp[/url]


Posted by: Campee

I bet it's some kind of DCOM scanner. Is that system patched against all of the RPC vulnerabilities?