• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

How to Know if some one is Scan My PC for any Open Ports or Not

Dear All,

Hi, this is my first time, for asking something regarding Security.

We are a small Network with 20 Clients, windows XP-Pro SP2.
we do not have any Dedicated Firewall, like ISA or any thing else.
We have one Domain Controller only.

Now, we discover that one of my user he Install the Software called GFI LANGUARD for Scan the Whole Network.

here is my question, how can i know if some one is scan my PC for searching for any OPEN PORTS or Not.

is there any Software can i install, so it will help me to determine what exactly i have , or to give me an alert, i have some one is trying to scan my PC for any Open Ports.

Please Update me .
  • 7
  • 5
  • 4
2 Solutions
Rich RumbleSecurity SamuraiCommented:
Firewall software can tell you, like ZoneAlarm, or you can look through the XP firewall log's to look for such behaviour. An IDS system like Snort can alert you to this activity also. Snort is based on behaviour and packet signatures, it can tell you if someone is using P2P software like Kazaa, Napster, etc.., it can identify certain scanners as well, most have a unique ping signatures that can make them identifiable. And much much more!

GFI LNSS is more than a scanner, it's also a audit tool, searching for things like, SNMP community string, windows patch levels, various registry settings, open ports, open shares, and possible exploits are tested.

rolamohammedAuthor Commented:
THanks for your Reply.

i have one user, he is trying to scan MY PC, which is the Best to downlaod in order to stop or notify me with the some one is trying to scan my PC , to see if i have an Open Ports or Not .

please advice me .

also, i have another question, i want to ask about it.

how do i know that, if there is some one have installed any Software for Know all the Password in-side My Network?

How can i know, because this user, i am really going mad becasue of him, i am afraid he is installing any Software to see all the Password for all the PC whcih we are using when we login, in order to trace us.

so how can i know if i have like this software or Not?

i do not deploy any Certificate or any Encryption messages for that .

Please guide me .
Rich RumbleSecurity SamuraiCommented:
You can do several things to know if he/she has installed such softwware, look through the installed software in the control panel of each pc (add/remove software)
Look at all the folders on each pc, use McAfee to scan for possible password crackers like Cain&Able, John-the-ripper, LC5, Pwdump, RainbowCrack, Ophcrack etc...
Users should not be admin's, they should be placed in the users group so they can't install such software, however, it doesn't necessarily prevent them from running it, most of the software i listed above can be run from a CD-Rom or other storage, it doesn't necessarily have to be installed.
If you can get upper managment permission, install an activity monitor like, B02k or Spector Pro, each can keep a log of key-strokes, and the users activity. Spector pro is able to be stealth, but Bo2k is not hidden.

Turn on the XP firewall, scan your pc from another on the lan to make sure the ports are closed that you want closed, use nmap, or Gfi's languard network security scanner
a typical nmap.exe command line scan is:
nmap.exe -sT -P0 -T5 ip.ip.ip.ip -v

I prefer zonealarm pro as a firewall. in fact it may be perfect for your situation. it can control what access's the NIC, and you can password protect that access. Install ZAP on his/her machine, next time they try to use GFI LNSS against your pc, ZA will ask him/her for a password before it can access the nic. That doesn't mean he/she doesn't have your passwords already...
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

bbaoIT ConsultantCommented:
apart from the technical approaches to prevent this happening again, you need to report this issue to the management and suggest defining your internal IT policy which gives the proper ways that how an employee may use the company's computing resources including the network. it is an essential work, whatever how big a company is.
rolamohammedAuthor Commented:
Guys, thanks For your reply.

i got this on my Event viwer.--

The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1208
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 123
Allowed: No
User notified: No


so , what i did , i just restart my PC, Login locally without my Network Card connected to the Company Switch, and i want to see what is the meaning of this message .

if its apppear , agian , what is the meaninig of it, is it mean that , every thing is OPEN ?

How can i close it by using My FIREWALL on the XP-PRO.

can you Update me .
bbaoIT ConsultantCommented:
no worries about this. port 123 is reserved for time sync on XP or W2K3, used by Windows Time service, hosted by svchost.exe. you should allow this kind of outgoing traffic, otherwise your clock can not be synchronized.
Rich RumbleSecurity SamuraiCommented:
Open control panel, turn on the XP firewall. http://support.microsoft.com/?id=283673 or give ZoneAlarm a try http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

XP's Firewall logs can be viewed: http://support.microsoft.com/kb/875357/ (seperate from the event logs)
rolamohammedAuthor Commented:
Thanks Guys for your reply.

i want someone to answer me .

if i want to trace or Stop any one from being SCAN My NETWORK , is correct what i understood or not?

what i understood is, to trace or to stop any one from being scan my Netowrk, i have to have Introusion Detection Software / Hardware ( IDS ) , is that correct ?

and its available in CISCO IDS , or any other Product. so is that correct ?


also, 3 question for me.

1- Now , IF i HAVE ISA Server 2004  Either if tis ( Std, or Ent )  can i configure it to work as IDS internally in my LAN, so any one from my Internal Users tried to scan my network, the ISA will catch Him, is that correct ?

2- Generally , can ISA work as IDS for Both ( Internal & External ) , or ( Internal only ) or ( External only ) , or the ISA can work as IDS ?

3- What is the diffrent between ISA Firewall CLIENT , which is installed on the Windows XP Pro SP2, & Its built in Firewall, which we are talking about it, can i understand the deffirent please ?

or ISA FIREWALL CLIENT, is dedicated to Internet connection, while the XP is for internal Use ?
i get confused , please update me .

Please update me .

bbaoIT ConsultantCommented:
1&2: ISA does not do that.  ISA is a gateway working between internal LAN and external network.

it is true that ISA intends to protect your LAN but not by restricting or scanning internal communication. by filtering incoming and outgoing traffic instead.

3: ISA client is a program that transparently redirect all your internet access to ISA server, for better security control and performance. without using ISA client, you can still access the internet by NAT or proxy gateway.
Rich RumbleSecurity SamuraiCommented:
An IDS will alert you to such activity, and IDP, such as Cisco's, or using SnortSam with Snort will function as an IDP. Snort also has an "in-line" mode that makes it natively support IDP functions, basically sending RST packets to the offending source. SnortSam will actually update your firewalls or router ACL's to block the traffic for an amount of time you specify.

The main prevention methods are:
Get Policies in place that clearly outline this type of program and behaviour is not tolerated within the company http://www.sans.org/resources/policies/
Keep users from being administrators so they can't install such programs.  http://xinn.org/win_bestpractices.html
Keep log's of installed programs, looking for unapporved software with a script or by hand. http://www.intersectalliance.com/projects/SnareWindows/
Parse the XP firewall logs of your machines http://www.intersectalliance.com/projects/SnareWindows/
Get and IDS or IDP solution to alert you to such activities http://snort.org/
rolamohammedAuthor Commented:
thanks for your reply

is there any way to have a script that i will run on the User side, so when ever he installed an Application, it will alert me by sending an E-mail.

please update me .
bbaoIT ConsultantCommented:
it sounds possible but do you really think that the user would be willing to do so as you expect? :-)
Rich RumbleSecurity SamuraiCommented:
Logon Scripts are a good way to go, or a scheduled task that runs a script
This will gather all the info from the "Add/Remove Programs" in the control panel.


On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers = Array(".")
For Each strComputer In arrComputers
   WScript.Echo "=========================================="
   WScript.Echo "Computer: " & strComputer
   WScript.Echo "=========================================="
   Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
   Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Product", "WQL", _
                                          wbemFlagReturnImmediately + wbemFlagForwardOnly)
   For Each objItem In colItems
      WScript.Echo "Caption: " & objItem.Caption
      WScript.Echo "Description: " & objItem.Description
      WScript.Echo "IdentifyingNumber: " & objItem.IdentifyingNumber
      WScript.Echo "InstallDate: " & objItem.InstallDate
      WScript.Echo "InstallDate2: " & WMIDateStringToDate(objItem.InstallDate2)
      WScript.Echo "InstallLocation: " & objItem.InstallLocation
      WScript.Echo "InstallState: " & objItem.InstallState
      WScript.Echo "Name: " & objItem.Name
      WScript.Echo "PackageCache: " & objItem.PackageCache
      WScript.Echo "SKUNumber: " & objItem.SKUNumber
      WScript.Echo "Vendor: " & objItem.Vendor
      WScript.Echo "Version: " & objItem.Version
Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm:
      WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
      Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
      & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Rich RumbleSecurity SamuraiCommented:
Here is the same thing on one line, you can copy the above script to a text file and rename it to a ".bat" file and call it via a logon script or scheduled task, or place this line in a txt file, rename to .bat and do the same

wmic.exe /output:C:\InstdPrograms.html PRODUCT get /format:hform.xsl

That's it! Saves the file to c:\InstdPrograms.html (you can change this to something else...)
Rich RumbleSecurity SamuraiCommented:
I should note that the above scripts only list programs installed via a MSI installer package.
To get a more full list, you may have to query the registry, probably HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall directory

Something simple is
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr "DisplayName" or
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr "UninstallString"
neither are very good without more parsing...
rolamohammedAuthor Commented:

Every one Thanks for his reply.

i will test the script,a nd i will come back, please do not close this subject
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now