TCP Sweep problem

I have a virtual private server and have had th servic suspended a a result of "illegal activity" that I know nothing of. The report to me from the service provider included the report below.

22:31:51         [TCP-SWEEP] (total=331,dp=110,min=,max=,Oct07-22:31:50,Oct07-22:31:51) (USI-amsxaid01)
22:31:53         [TCP-SWEEP] (total=381,dp=110,min=,max=,Oct07-22:31:51,Oct07-22:31:53) (USI-amsxaid01)
22:31:54         [TCP-SWEEP] (total=387,dp=110,min=,max=,Oct07-22:31:53,Oct07-22:31:54) (USI-amsxaid01)
22:31:54         [TCP-SWEEP] (total=383,dp=110,min=,max=,Oct07-22:31:54,Oct07-22:31:54) (USI-amsxaid01)
22:31:55         [TCP-SWEEP] (total=379,dp=110,min=,max=,Oct07-22:31:54,Oct07-22:31:55) (USI-amsxaid01)
22:31:56         [TCP-SWEEP] (total=386,dp=110,min=,max=,Oct07-22:31:55,Oct07-22:31:56) (USI-amsxaid01)
22:31:57         [TCP-SWEEP] (total=378,dp=110,min=,max=,Oct07-22:31:56,Oct07-22:31:57) (USI-amsxaid01)
22:31:58         [TCP-SWEEP] (total=384,dp=110,min=,max=,Oct07-22:31:57,Oct07-22:31:58) (USI-amsxaid01)
22:31:58         [TCP-SWEEP] (total=375,dp=110,min=,max=,Oct07-22:31:58,Oct07-22:31:58) (USI-amsxaid01)
22:32:01         [TCP-SWEEP] (total=363,dp=110,min=,max=,Oct07-22:31:58,Oct07-22:32:01) (USI-amsxaid01)
22:32:11         [TCP-SWEEP] (total=315,dp=110,min=,max=,Oct07-22:32:01,Oct07-22:32:02) (USI-amsxaid01)

I understand that this may be as a result of a script that might be running, again I know not how as I am the only person who has the credentials to log into the server and I know nothing about scripts or how to locate such a rogue script.

Can anyone offe any help as to how I can find what is causing this problem?

Many thanks
Who is Participating?
jahboiteConnect With a Mentor Commented:
I think you have to look at the possibility that you are no longer the only person with the means to log into the server and that it may be under someone elses control.

The activity pictured is a TCP sweep (like a ping sweep, but using TCP protocol rather than ICMP) of several ranges within the - range which is assigned to USi Europe B.V., NL

Someone is looking for live hosts in these ranges.

As for your virtual server, perhaps the most likely method of entry was the PLESK login.  Perhaps there was a successful brute force attempt.  Perhaps there are logs which would indicate this.

There doesn't appear to be a firewall running on this machine so probably nothing to prevent attempted intrusions.

Are you aware of the services this machine exposes to the public internet?
What operating system are you running on your server?
martmacAuthor Commented:
Its a Windows 2003 server
Try to install a program like wintasks and look for any strange processes that may be causing this behaviour..
You could also install a sniffer like 'ethereal' or 'wireshark' and try to monitor the packets sent by your pc.
martmacAuthor Commented:
Thanks for this, it has been a nightmare. I am unsure what a brute force attempt is, but it is something I can take up with the provider. Thank you for your help. I am very new to this, so I need a much to take to the provider as possible.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.