• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1095
  • Last Modified:

port scanning

I just recieved an email from an isp provider saying one of my servers is port scanning something on their side.
Apr/25/2011 09:47:29 Drop TCP src:208.233.37.132:63594 dst:96.54.215.131:445
Apr/25/2011 09:47:30 Drop TCP src:208.233.37.132:63651 dst:96.54.215.131:445
Apr/25/2011 10:59:45 Drop TCP src:208.233.37.132:62472 dst:96.54.215.131:445
Apr/25/2011 10:59:45 Drop TCP src:208.233.37.132:62547 dst:96.54.215.131:445
 this is an example of what they have sent me I ran HIjack this on the server and this is what i see not sure what im looking for.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:15:18 AM, on 4/28/2011
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\Microsoft.NET\sa\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\VMware\VMware Update Manager Guest Agent\guestAgent.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
E:\webct\webct\generic\admin\webctctl.exe
e:\webct\webct\generic\admin\license.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
E:\webct\webct\generic\public\whiteboard.exe
E:\webct\webct\generic\public\chat\chat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
E:\webct\server\bin\Apache.exe
E:\webct\jre\bin\java.exe
E:\webct\server\bin\Apache.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wcody\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.webct.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [VMware Tools] "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
O4 - HKLM\..\Run: [VMware User Process] "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1295449015132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wccc.me.edu
O17 - HKLM\Software\..\Telephony: DomainName = wccc.me.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB79030F-6803-4706-8194-C6FD2E5258A1}: NameServer = 10.80.1.4,10.80.1.17
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wccc.me.edu
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: CCProxy - Unknown owner - C:\WINDOWS\Microsoft.NET\sa\svchost.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Telephouy (TapiSru) - Unknown owner - C:\WINDOWS\system32\dllcache\TapiSru.exe (file missing)
O23 - Service: VMware vCenter Update Manager Guest Agent (vci-ga) - VMware, Inc. - C:\Program Files\VMware\VMware Update Manager Guest Agent\guestAgent.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: VMware Upgrade Helper (VMUpgradeHelper) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe
O23 - Service: WebCT - Unknown owner - E:\\webct\webct\generic\admin\webctctl.exe
O23 - Service: WebCT License Server (WEBCT_License_Server) - Unknown owner - e:\webct\webct\generic\admin\license.exe

--
End of file - 7865 bytes
 This is a distance learning server any ideas?

0
wcody
Asked:
wcody
1 Solution
 
JRasterCommented:
Have you done the basics?  
Shutdown unneeded services, check msconfig for out of place files running, scan for virus, scan for malware or spyware.  
0
 
wcodyAuthor Commented:
I have run several scans not finding a thing and a bit sketchy on what is an unneeded service
0
 
ChiefITCommented:
Apr/25/2011 09:47:29 Drop TCP src:208.233.37.132:63594 dst:96.54.215.131:445
Apr/25/2011 09:47:30 Drop TCP src:208.233.37.132:63651 dst:96.54.215.131:445
Apr/25/2011 10:59:45 Drop TCP src:208.233.37.132:62472 dst:96.54.215.131:445
Apr/25/2011 10:59:45 Drop TCP src:208.233.37.132:62547 dst:96.54.215.131:445

Port 445 is  the Server Messag Block port. These are often referred to as SMB shares, Netbios shares, Common Information File Shares (CIFS), or file shares. These port scans are really broadcasts to your ISP over the SMB port to tell the ISP that you are available and here are the shares you are sharing.

Realistically, you shouldn't be broadcasting between sites unless you have a VPN connection and Netbios helper enabled. Netbios should be constrained to the broadcast domain.
0
 
huacatCommented:
Did you running a proxy?
Please check the ccproxy(file: C:\WINDOWS\Microsoft.NET\sa\svchost.exe) services via control panel, administration tools, services.
The ccproxy service(C:\WINDOWS\Microsoft.NET\sa\svchost.exe) looks very strangs!

If this service not install by yourselft, I'm afraid you server already be hacked.
CCProxy can be used as a agent for Hacker.

You can download tcpview from below URL to check which program have a lot of socket options.
http://technet.microsoft.com/en-us/sysinternals/bb897437
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now