Solved

TCP Sweep problem

Posted on 2008-10-09
5
3,123 Views
Last Modified: 2012-05-05
I have a virtual private server and have had th servic suspended a a result of "illegal activity" that I know nothing of. The report to me from the service provider included the report below.

22:31:51  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=331,dp=110,min=212.1.184.1,max=212.1.184.254,Oct07-22:31:50,Oct07-22:31:51) (USI-amsxaid01)
22:31:53  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=381,dp=110,min=212.1.184.1,max=212.1.185.254,Oct07-22:31:51,Oct07-22:31:53) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=387,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:53,Oct07-22:31:54) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=383,dp=110,min=212.1.188.1,max=212.1.187.254,Oct07-22:31:54,Oct07-22:31:54) (USI-amsxaid01)
22:31:55  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=379,dp=110,min=212.1.189.1,max=212.1.188.254,Oct07-22:31:54,Oct07-22:31:55) (USI-amsxaid01)
22:31:56  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=386,dp=110,min=212.1.186.1,max=212.1.189.254,Oct07-22:31:55,Oct07-22:31:56) (USI-amsxaid01)
22:31:57  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=378,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:56,Oct07-22:31:57) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=384,dp=110,min=212.1.188.1,max=212.1.188.254,Oct07-22:31:57,Oct07-22:31:58) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=375,dp=110,min=212.1.190.1,max=212.1.190.254,Oct07-22:31:58,Oct07-22:31:58) (USI-amsxaid01)
22:32:01  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=363,dp=110,min=212.1.190.30,max=212.1.191.254,Oct07-22:31:58,Oct07-22:32:01) (USI-amsxaid01)
22:32:11  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=315,dp=110,min=212.1.191.1,max=212.1.191.254,Oct07-22:32:01,Oct07-22:32:02) (USI-amsxaid01)

I understand that this may be as a result of a script that might be running, again I know not how as I am the only person who has the credentials to log into the server and I know nothing about scripts or how to locate such a rogue script.

Can anyone offe any help as to how I can find what is causing this problem?

Many thanks
0
Comment
Question by:martmac
  • 2
  • 2
5 Comments
 

Expert Comment

by:firas_fas
ID: 22678669
What operating system are you running on your server?
0
 

Author Comment

by:martmac
ID: 22678727
Its a Windows 2003 server
0
 

Expert Comment

by:firas_fas
ID: 22679582
Try to install a program like wintasks and look for any strange processes that may be causing this behaviour..
You could also install a sniffer like 'ethereal' or 'wireshark' and try to monitor the packets sent by your pc.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 500 total points
ID: 22686250
I think you have to look at the possibility that you are no longer the only person with the means to log into the server and that it may be under someone elses control.

The activity pictured is a TCP sweep (like a ping sweep, but using TCP protocol rather than ICMP) of several ranges within the 212.1.160.0 - 212.1.191.255 range which is assigned to USi Europe B.V., NL

Someone is looking for live hosts in these ranges.

As for your virtual server, perhaps the most likely method of entry was the PLESK login.  Perhaps there was a successful brute force attempt.  Perhaps there are logs which would indicate this.

There doesn't appear to be a firewall running on this machine so probably nothing to prevent attempted intrusions.

Are you aware of the services this machine exposes to the public internet?
0
 

Author Closing Comment

by:martmac
ID: 31504646
Thanks for this, it has been a nightmare. I am unsure what a brute force attempt is, but it is something I can take up with the provider. Thank you for your help. I am very new to this, so I need a much to take to the provider as possible.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question