Solved

My Ports are being scanned

Posted on 2006-10-30
9
387 Views
Last Modified: 2010-04-11
I'm running a windows 2003 server with a Zyxel firewall, the firewall logs indicate that I am regularly having my ports scanned, is there any way I can identify whose doing the scanning. What information can I get from the offending IP address? Is there some 'passive' investigation I can do?
0
Comment
Question by:mike99c
9 Comments
 
LVL 9

Accepted Solution

by:
crawfordits earned 250 total points
ID: 17838725
Take the IP to www.dnsstuff.com.  Get the abuse email address and try reporting to the ISP of the person performing the port scanning.
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17840006
Mike -

Since currently this is a port scanning issue and not spam, I would instead recommend that you get the IP block ownership records from ARIN (http://www.arin.net)

This will tell you what ISP ownes the IP block.  Send your logs to their abuse department and don't get your hopes up.

Let me know what happens.

Thanks - Tex

0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17842306
you can go to www.arin.net, lacnic.net or the IP block administrator you need to find who is the owner. however it's very probable that you will find that the IP belongs to an ISP and they will never tell who is bothering you unless you go to a trial.... may be the abuse department may help but I don't really trust them.... try to be as protected as you can (patches, antivirus, personal firewall or firewall, good OS configurations) will be the best you can do for yourself.
on the other hand you will be investigating ISPs all the time because this is VERY common.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17849223
Scan yourself to see what info might be available, your firewall should be logging the IP address's. As stated above, do and nslookup and whois on the IP's to see what domain or ISP you can report the abuse to. If you scan yourself and see that there isn't much you didn't already know, like port 80 is open, then don't bother,  otherwise you'll spend all your time reporting abuse and doing nothing else ;) You should have self or contracted audit's done on a regular basis, if your being hosted at an ISP they should take care of patching and securing the servers themselves(if they own them), but it never hurts to have an audit done to make sure they do their job's.
-rich
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17850916
Port scanning is not illegal,and if you are connected to the net,just a fact of life.

It's analogous  to somebody knocking on your door.
It only becomess illegal when they break in.
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17851331
That's analogy is not quite equal IMHO.  A ping might be more like a knock on the door where as a port scan is more like someone knocking on your front and back door and every window of your house.  Many port scans are accompanied with vulnerability scans which would then equate to someone attempting to open all the doors and windows and testing the locks.  While none of this may be illeagal, it is at the least suspicious and worthy of monitoring and protecting against.  Most modern firewalls can detect portscans and drop them.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17851435
I would say the percentage of people out on the net that have been port scanned at some point in time is 100%.

You're not going to stop it.

There are probably ten's of thousands of machines at any one time that are doing port scans,either knowingly or unknowingly.

Blaster and Nimda are still out there and what do they do? Port scan.
0
 

Author Comment

by:mike99c
ID: 17853518
Thanks for the useful info.
I'm keeping a note of the IP addresses from the logs, but as you say a lot of this may be automated.
I did a shields up (grc) test which gave me a pass, saying all my ports were 'stealthy', even though I have some port forwarding! Maybe my h/w firewall can detect the difference between a port scan and a specific request to a single port?
Cheers
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17853784
More and more hardware firewalls have some form of basic algos that attempt to detect a port, vulnerability and footprint scans.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question