Solved

My Ports are being scanned

Posted on 2006-10-30
9
391 Views
Last Modified: 2010-04-11
I'm running a windows 2003 server with a Zyxel firewall, the firewall logs indicate that I am regularly having my ports scanned, is there any way I can identify whose doing the scanning. What information can I get from the offending IP address? Is there some 'passive' investigation I can do?
0
Comment
Question by:mike99c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 9

Accepted Solution

by:
crawfordits earned 250 total points
ID: 17838725
Take the IP to www.dnsstuff.com.  Get the abuse email address and try reporting to the ISP of the person performing the port scanning.
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17840006
Mike -

Since currently this is a port scanning issue and not spam, I would instead recommend that you get the IP block ownership records from ARIN (http://www.arin.net)

This will tell you what ISP ownes the IP block.  Send your logs to their abuse department and don't get your hopes up.

Let me know what happens.

Thanks - Tex

0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17842306
you can go to www.arin.net, lacnic.net or the IP block administrator you need to find who is the owner. however it's very probable that you will find that the IP belongs to an ISP and they will never tell who is bothering you unless you go to a trial.... may be the abuse department may help but I don't really trust them.... try to be as protected as you can (patches, antivirus, personal firewall or firewall, good OS configurations) will be the best you can do for yourself.
on the other hand you will be investigating ISPs all the time because this is VERY common.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17849223
Scan yourself to see what info might be available, your firewall should be logging the IP address's. As stated above, do and nslookup and whois on the IP's to see what domain or ISP you can report the abuse to. If you scan yourself and see that there isn't much you didn't already know, like port 80 is open, then don't bother,  otherwise you'll spend all your time reporting abuse and doing nothing else ;) You should have self or contracted audit's done on a regular basis, if your being hosted at an ISP they should take care of patching and securing the servers themselves(if they own them), but it never hurts to have an audit done to make sure they do their job's.
-rich
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17850916
Port scanning is not illegal,and if you are connected to the net,just a fact of life.

It's analogous  to somebody knocking on your door.
It only becomess illegal when they break in.
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17851331
That's analogy is not quite equal IMHO.  A ping might be more like a knock on the door where as a port scan is more like someone knocking on your front and back door and every window of your house.  Many port scans are accompanied with vulnerability scans which would then equate to someone attempting to open all the doors and windows and testing the locks.  While none of this may be illeagal, it is at the least suspicious and worthy of monitoring and protecting against.  Most modern firewalls can detect portscans and drop them.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17851435
I would say the percentage of people out on the net that have been port scanned at some point in time is 100%.

You're not going to stop it.

There are probably ten's of thousands of machines at any one time that are doing port scans,either knowingly or unknowingly.

Blaster and Nimda are still out there and what do they do? Port scan.
0
 

Author Comment

by:mike99c
ID: 17853518
Thanks for the useful info.
I'm keeping a note of the IP addresses from the logs, but as you say a lot of this may be automated.
I did a shields up (grc) test which gave me a pass, saying all my ports were 'stealthy', even though I have some port forwarding! Maybe my h/w firewall can detect the difference between a port scan and a specific request to a single port?
Cheers
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17853784
More and more hardware firewalls have some form of basic algos that attempt to detect a port, vulnerability and footprint scans.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question