Solved

TCP Sweep problem

Posted on 2008-10-09
5
3,137 Views
Last Modified: 2012-05-05
I have a virtual private server and have had th servic suspended a a result of "illegal activity" that I know nothing of. The report to me from the service provider included the report below.

22:31:51  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=331,dp=110,min=212.1.184.1,max=212.1.184.254,Oct07-22:31:50,Oct07-22:31:51) (USI-amsxaid01)
22:31:53  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=381,dp=110,min=212.1.184.1,max=212.1.185.254,Oct07-22:31:51,Oct07-22:31:53) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=387,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:53,Oct07-22:31:54) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=383,dp=110,min=212.1.188.1,max=212.1.187.254,Oct07-22:31:54,Oct07-22:31:54) (USI-amsxaid01)
22:31:55  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=379,dp=110,min=212.1.189.1,max=212.1.188.254,Oct07-22:31:54,Oct07-22:31:55) (USI-amsxaid01)
22:31:56  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=386,dp=110,min=212.1.186.1,max=212.1.189.254,Oct07-22:31:55,Oct07-22:31:56) (USI-amsxaid01)
22:31:57  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=378,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:56,Oct07-22:31:57) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=384,dp=110,min=212.1.188.1,max=212.1.188.254,Oct07-22:31:57,Oct07-22:31:58) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=375,dp=110,min=212.1.190.1,max=212.1.190.254,Oct07-22:31:58,Oct07-22:31:58) (USI-amsxaid01)
22:32:01  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=363,dp=110,min=212.1.190.30,max=212.1.191.254,Oct07-22:31:58,Oct07-22:32:01) (USI-amsxaid01)
22:32:11  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=315,dp=110,min=212.1.191.1,max=212.1.191.254,Oct07-22:32:01,Oct07-22:32:02) (USI-amsxaid01)

I understand that this may be as a result of a script that might be running, again I know not how as I am the only person who has the credentials to log into the server and I know nothing about scripts or how to locate such a rogue script.

Can anyone offe any help as to how I can find what is causing this problem?

Many thanks
0
Comment
Question by:martmac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Expert Comment

by:firas_fas
ID: 22678669
What operating system are you running on your server?
0
 

Author Comment

by:martmac
ID: 22678727
Its a Windows 2003 server
0
 

Expert Comment

by:firas_fas
ID: 22679582
Try to install a program like wintasks and look for any strange processes that may be causing this behaviour..
You could also install a sniffer like 'ethereal' or 'wireshark' and try to monitor the packets sent by your pc.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 500 total points
ID: 22686250
I think you have to look at the possibility that you are no longer the only person with the means to log into the server and that it may be under someone elses control.

The activity pictured is a TCP sweep (like a ping sweep, but using TCP protocol rather than ICMP) of several ranges within the 212.1.160.0 - 212.1.191.255 range which is assigned to USi Europe B.V., NL

Someone is looking for live hosts in these ranges.

As for your virtual server, perhaps the most likely method of entry was the PLESK login.  Perhaps there was a successful brute force attempt.  Perhaps there are logs which would indicate this.

There doesn't appear to be a firewall running on this machine so probably nothing to prevent attempted intrusions.

Are you aware of the services this machine exposes to the public internet?
0
 

Author Closing Comment

by:martmac
ID: 31504646
Thanks for this, it has been a nightmare. I am unsure what a brute force attempt is, but it is something I can take up with the provider. Thank you for your help. I am very new to this, so I need a much to take to the provider as possible.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question