How to detect if port scanning software is running on our machine?

From: Dave Baker (dpbaker@streamyx.com)
Date: 04/23/03

• Next message: mooocow: "Any know how to remove "Golden Eye" monitoring software ??"
• Previous message: Colonel Flagg: "Re: what's the best to fight trojans?"
• Next in thread: bloob: "Re: How to detect if port scanning software is running on our machine?"
• Reply: bloob: "Re: How to detect if port scanning software is running on our machine?"
• Reply: Whoever: "Re: How to detect if port scanning software is running on our machine?"
• Reply: DaveK: "Re: How to detect if port scanning software is running on our machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Dave Baker <dpbaker@streamyx.com>
Date: Wed, 23 Apr 2003 14:11:18 +0800

We run an FTP server. One of our clients says that our server is port
scanning their machine - the log files they sent us appear to back this up:

>'TCP_Port_Scan' event detected by 'network_sensor_1'
>Details:
> Source IP Address: 1xx.1xx.1xx.1xx
> Source Port: N/A
> Source MAC Address: N/A
> Destination IP Address: 1xx.1xx.xx.2xx
> Destination Port: N/A
> Destination MAC Address: N/A
> Time: 2003-04-22 18:22:28 UTC
> Protocol: TCP(6)
> ICMP Type: N/A
> ICMP Code: N/A
> Priority: medium
> Actions: DISPLAY=Default:0,EMAIL=Operator:0,LOGDB=LogWithoutRaw:0,RSKILL=Default:0
> Event Specific Information:
> :port: 2775|2840|2878|3032|3160|3235|3357|3644
> :victim-ip-addr: 1xx.1xx.xx.2xx
> :intruder-ip-addr: 1xx.1xx.1xx.1xx

I have looked at all the software we are running, and the processes running,
and can't see anything abnormal. I've done a virus check with no problems
found.

How would I find out what software on our machine is doing this port
scanning?

Dave

---

• Next message: mooocow: "Any know how to remove "Golden Eye" monitoring software ??"
• Previous message: Colonel Flagg: "Re: what's the best to fight trojans?"
• Next in thread: bloob: "Re: How to detect if port scanning software is running on our machine?"
• Reply: bloob: "Re: How to detect if port scanning software is running on our machine?"
• Reply: Whoever: "Re: How to detect if port scanning software is running on our machine?"
• Reply: DaveK: "Re: How to detect if port scanning software is running on our machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How to detect if port scanning software is running on our machine? ... Umm, one question, what FTP software are you using:) ... > We run an FTP server. ... One of our clients says that our server is port ... > scanning their machine - the log files they sent us appear to back this ... (alt.computer.security) [TOOL] WeBrute - Directory Brute Forcer ... Get your security news from a reliable source. ... # Scan 127.0.0.1 port 80, Use wordlist and admin as start path ... # Scan 127.0.0.1 port 80, Use wordlist, and traverse scanning and verbose ... sub catchInterrupt { ... (Securiteam) RE: blocking IPs for FTP server ... With Port Sentry you can use the Advanced Stealth Scan Detection. ... blocking IPs for FTP server ... holding too many open connections. ... (Security-Basics) RE: Hidden windows ports, files and services. ... also apply for IE's cache. ... be the work of a root kit of some sort. ... and I'd like to analyze the ftp server. ... |was by doing an nmap port scan of the system. ... (Security-Basics) Re: Legal? Road Runner proactive scanning. ... Also makes me think that their port scanning is no different than anyone ... > Attend a course taught by an expert instructor with years of ... Attend a course taught by an expert instructor with years of ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > alt.computer.security  > 2003-04