How to detect if port scanning software is running on our machine?

From: Dave Baker (dpbaker@streamyx.com)
Date: 04/23/03


From: Dave Baker <dpbaker@streamyx.com>
Date: Wed, 23 Apr 2003 14:11:18 +0800

We run an FTP server. One of our clients says that our server is port
scanning their machine - the log files they sent us appear to back this up:

>'TCP_Port_Scan' event detected by 'network_sensor_1'
>Details:
> Source IP Address: 1xx.1xx.1xx.1xx
> Source Port: N/A
> Source MAC Address: N/A
> Destination IP Address: 1xx.1xx.xx.2xx
> Destination Port: N/A
> Destination MAC Address: N/A
> Time: 2003-04-22 18:22:28 UTC
> Protocol: TCP(6)
> ICMP Type: N/A
> ICMP Code: N/A
> Priority: medium
> Actions: DISPLAY=Default:0,EMAIL=Operator:0,LOGDB=LogWithoutRaw:0,RSKILL=Default:0
> Event Specific Information:
> :port: 2775|2840|2878|3032|3160|3235|3357|3644
> :victim-ip-addr: 1xx.1xx.xx.2xx
> :intruder-ip-addr: 1xx.1xx.1xx.1xx

I have looked at all the software we are running, and the processes running,
and can't see anything abnormal. I've done a virus check with no problems
found.

How would I find out what software on our machine is doing this port
scanning?

Dave



Relevant Pages

  • Re: How to detect if port scanning software is running on our machine?
    ... Umm, one question, what FTP software are you using:) ... > We run an FTP server. ... One of our clients says that our server is port ... > scanning their machine - the log files they sent us appear to back this ...
    (alt.computer.security)
  • [TOOL] WeBrute - Directory Brute Forcer
    ... Get your security news from a reliable source. ... # Scan 127.0.0.1 port 80, Use wordlist and admin as start path ... # Scan 127.0.0.1 port 80, Use wordlist, and traverse scanning and verbose ... sub catchInterrupt { ...
    (Securiteam)
  • RE: blocking IPs for FTP server
    ... With Port Sentry you can use the Advanced Stealth Scan Detection. ... blocking IPs for FTP server ... holding too many open connections. ...
    (Security-Basics)
  • Re: Legal? Road Runner proactive scanning.
    ... Also makes me think that their port scanning is no different than anyone ... > Attend a course taught by an expert instructor with years of ... Attend a course taught by an expert instructor with years of ...
    (Security-Basics)
  • RE: Hidden windows ports, files and services.
    ... also apply for IE's cache. ... be the work of a root kit of some sort. ... and I'd like to analyze the ftp server. ... |was by doing an nmap port scan of the system. ...
    (Security-Basics)