Solved

My Ports are being scanned

Posted on 2006-10-30
9
385 Views
Last Modified: 2010-04-11
I'm running a windows 2003 server with a Zyxel firewall, the firewall logs indicate that I am regularly having my ports scanned, is there any way I can identify whose doing the scanning. What information can I get from the offending IP address? Is there some 'passive' investigation I can do?
0
Comment
Question by:mike99c
9 Comments
 
LVL 9

Accepted Solution

by:
crawfordits earned 250 total points
Comment Utility
Take the IP to www.dnsstuff.com.  Get the abuse email address and try reporting to the ISP of the person performing the port scanning.
0
 
LVL 5

Expert Comment

by:Austin Texas
Comment Utility
Mike -

Since currently this is a port scanning issue and not spam, I would instead recommend that you get the IP block ownership records from ARIN (http://www.arin.net)

This will tell you what ISP ownes the IP block.  Send your logs to their abuse department and don't get your hopes up.

Let me know what happens.

Thanks - Tex

0
 
LVL 3

Expert Comment

by:mahe2000
Comment Utility
you can go to www.arin.net, lacnic.net or the IP block administrator you need to find who is the owner. however it's very probable that you will find that the IP belongs to an ISP and they will never tell who is bothering you unless you go to a trial.... may be the abuse department may help but I don't really trust them.... try to be as protected as you can (patches, antivirus, personal firewall or firewall, good OS configurations) will be the best you can do for yourself.
on the other hand you will be investigating ISPs all the time because this is VERY common.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Scan yourself to see what info might be available, your firewall should be logging the IP address's. As stated above, do and nslookup and whois on the IP's to see what domain or ISP you can report the abuse to. If you scan yourself and see that there isn't much you didn't already know, like port 80 is open, then don't bother,  otherwise you'll spend all your time reporting abuse and doing nothing else ;) You should have self or contracted audit's done on a regular basis, if your being hosted at an ISP they should take care of patching and securing the servers themselves(if they own them), but it never hurts to have an audit done to make sure they do their job's.
-rich
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 30

Expert Comment

by:pgm554
Comment Utility
Port scanning is not illegal,and if you are connected to the net,just a fact of life.

It's analogous  to somebody knocking on your door.
It only becomess illegal when they break in.
0
 
LVL 5

Expert Comment

by:Austin Texas
Comment Utility
That's analogy is not quite equal IMHO.  A ping might be more like a knock on the door where as a port scan is more like someone knocking on your front and back door and every window of your house.  Many port scans are accompanied with vulnerability scans which would then equate to someone attempting to open all the doors and windows and testing the locks.  While none of this may be illeagal, it is at the least suspicious and worthy of monitoring and protecting against.  Most modern firewalls can detect portscans and drop them.
0
 
LVL 30

Expert Comment

by:pgm554
Comment Utility
I would say the percentage of people out on the net that have been port scanned at some point in time is 100%.

You're not going to stop it.

There are probably ten's of thousands of machines at any one time that are doing port scans,either knowingly or unknowingly.

Blaster and Nimda are still out there and what do they do? Port scan.
0
 

Author Comment

by:mike99c
Comment Utility
Thanks for the useful info.
I'm keeping a note of the IP addresses from the logs, but as you say a lot of this may be automated.
I did a shields up (grc) test which gave me a pass, saying all my ports were 'stealthy', even though I have some port forwarding! Maybe my h/w firewall can detect the difference between a port scan and a specific request to a single port?
Cheers
0
 
LVL 5

Expert Comment

by:Austin Texas
Comment Utility
More and more hardware firewalls have some form of basic algos that attempt to detect a port, vulnerability and footprint scans.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now