Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3153
  • Last Modified:

TCP Sweep problem

I have a virtual private server and have had th servic suspended a a result of "illegal activity" that I know nothing of. The report to me from the service provider included the report below.

22:31:51  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=331,dp=110,min=212.1.184.1,max=212.1.184.254,Oct07-22:31:50,Oct07-22:31:51) (USI-amsxaid01)
22:31:53  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=381,dp=110,min=212.1.184.1,max=212.1.185.254,Oct07-22:31:51,Oct07-22:31:53) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=387,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:53,Oct07-22:31:54) (USI-amsxaid01)
22:31:54  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=383,dp=110,min=212.1.188.1,max=212.1.187.254,Oct07-22:31:54,Oct07-22:31:54) (USI-amsxaid01)
22:31:55  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=379,dp=110,min=212.1.189.1,max=212.1.188.254,Oct07-22:31:54,Oct07-22:31:55) (USI-amsxaid01)
22:31:56  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=386,dp=110,min=212.1.186.1,max=212.1.189.254,Oct07-22:31:55,Oct07-22:31:56) (USI-amsxaid01)
22:31:57  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=378,dp=110,min=212.1.187.1,max=212.1.186.254,Oct07-22:31:56,Oct07-22:31:57) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=384,dp=110,min=212.1.188.1,max=212.1.188.254,Oct07-22:31:57,Oct07-22:31:58) (USI-amsxaid01)
22:31:58  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=375,dp=110,min=212.1.190.1,max=212.1.190.254,Oct07-22:31:58,Oct07-22:31:58) (USI-amsxaid01)
22:32:01  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=363,dp=110,min=212.1.190.30,max=212.1.191.254,Oct07-22:31:58,Oct07-22:32:01) (USI-amsxaid01)
22:32:11  212.241.201.123 0.0.0.0         [TCP-SWEEP] (total=315,dp=110,min=212.1.191.1,max=212.1.191.254,Oct07-22:32:01,Oct07-22:32:02) (USI-amsxaid01)

I understand that this may be as a result of a script that might be running, again I know not how as I am the only person who has the credentials to log into the server and I know nothing about scripts or how to locate such a rogue script.

Can anyone offe any help as to how I can find what is causing this problem?

Many thanks
0
martmac
Asked:
martmac
  • 2
  • 2
1 Solution
 
firas_fasCommented:
What operating system are you running on your server?
0
 
martmacAuthor Commented:
Its a Windows 2003 server
0
 
firas_fasCommented:
Try to install a program like wintasks and look for any strange processes that may be causing this behaviour..
You could also install a sniffer like 'ethereal' or 'wireshark' and try to monitor the packets sent by your pc.
0
 
jahboiteCommented:
I think you have to look at the possibility that you are no longer the only person with the means to log into the server and that it may be under someone elses control.

The activity pictured is a TCP sweep (like a ping sweep, but using TCP protocol rather than ICMP) of several ranges within the 212.1.160.0 - 212.1.191.255 range which is assigned to USi Europe B.V., NL

Someone is looking for live hosts in these ranges.

As for your virtual server, perhaps the most likely method of entry was the PLESK login.  Perhaps there was a successful brute force attempt.  Perhaps there are logs which would indicate this.

There doesn't appear to be a firewall running on this machine so probably nothing to prevent attempted intrusions.

Are you aware of the services this machine exposes to the public internet?
0
 
martmacAuthor Commented:
Thanks for this, it has been a nightmare. I am unsure what a brute force attempt is, but it is something I can take up with the provider. Thank you for your help. I am very new to this, so I need a much to take to the provider as possible.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now