Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

TCP Sweep problem

Posted on 2008-10-09
5
Medium Priority
?
3,149 Views
Last Modified: 2012-05-05
I have a virtual private server and have had th servic suspended a a result of "illegal activity" that I know nothing of. The report to me from the service provider included the report below.

22:31:51  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=331,dp=110,min=212.1.184.1,max=212.1.184.254,Oct07-22:31:50,Oct07-22:31:51) (USI-amsxaid01)
22:31:53  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=381,dp=110,min=212.1.184.1,max=212.1.185.254,Oct07-22:31:51,Oct07-22:31:53) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=387,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:53,Oct07-22:31:54) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=383,dp=110,min=212.1.188.1,max=212.1.187.254,Oct07-22:31:54,Oct07-22:31:54) (USI-amsxaid01)
22:31:55  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=379,dp=110,min=212.1.189.1,max=212.1.188.254,Oct07-22:31:54,Oct07-22:31:55) (USI-amsxaid01)
22:31:56  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=386,dp=110,min=212.1.186.1,max=212.1.189.254,Oct07-22:31:55,Oct07-22:31:56) (USI-amsxaid01)
22:31:57  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=378,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:56,Oct07-22:31:57) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=384,dp=110,min=212.1.188.1,max=212.1.188.254,Oct07-22:31:57,Oct07-22:31:58) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=375,dp=110,min=212.1.190.1,max=212.1.190.254,Oct07-22:31:58,Oct07-22:31:58) (USI-amsxaid01)
22:32:01  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=363,dp=110,min=212.1.190.30,max=212.1.191.254,Oct07-22:31:58,Oct07-22:32:01) (USI-amsxaid01)
22:32:11  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=315,dp=110,min=212.1.191.1,max=212.1.191.254,Oct07-22:32:01,Oct07-22:32:02) (USI-amsxaid01)

I understand that this may be as a result of a script that might be running, again I know not how as I am the only person who has the credentials to log into the server and I know nothing about scripts or how to locate such a rogue script.

Can anyone offe any help as to how I can find what is causing this problem?

Many thanks
0
Comment
Question by:martmac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Expert Comment

by:firas_fas
ID: 22678669
What operating system are you running on your server?
0
 

Author Comment

by:martmac
ID: 22678727
Its a Windows 2003 server
0
 

Expert Comment

by:firas_fas
ID: 22679582
Try to install a program like wintasks and look for any strange processes that may be causing this behaviour..
You could also install a sniffer like 'ethereal' or 'wireshark' and try to monitor the packets sent by your pc.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 2000 total points
ID: 22686250
I think you have to look at the possibility that you are no longer the only person with the means to log into the server and that it may be under someone elses control.

The activity pictured is a TCP sweep (like a ping sweep, but using TCP protocol rather than ICMP) of several ranges within the 212.1.160.0 - 212.1.191.255 range which is assigned to USi Europe B.V., NL

Someone is looking for live hosts in these ranges.

As for your virtual server, perhaps the most likely method of entry was the PLESK login.  Perhaps there was a successful brute force attempt.  Perhaps there are logs which would indicate this.

There doesn't appear to be a firewall running on this machine so probably nothing to prevent attempted intrusions.

Are you aware of the services this machine exposes to the public internet?
0
 

Author Closing Comment

by:martmac
ID: 31504646
Thanks for this, it has been a nightmare. I am unsure what a brute force attempt is, but it is something I can take up with the provider. Thank you for your help. I am very new to this, so I need a much to take to the provider as possible.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What You Need to Know when Searching for a Webhost Provider
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question