Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server being used for port scanning

Status
Not open for further replies.
emaybee

emaybee

IS-IT--Management
Mar 25, 2002
57
US
My network colleagues tell me that my Win2k server is port scanning the network. Now I checked for viruses and tried to stop any unnecessary processes from running. How can I tell what's causing the port scanning? The server is up to date with patches.
 
Sort by date Sort by votes
How do they know it is port scanning? What are they using to trace the port scanning back to your win2k server?
 
Upvote 0 Downvote
If this is an HP server, did you install the Insight Manager application? It will perform SNMP sweeps of the network.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
To blubomber: the software used is Snort.

To PScottc: No this is a Dell Poweredge with a clean install of Win2k.
 
Upvote 0 Downvote
You may want to check for the Nachi (McAfee)/Welchia (Symantec) worm. It does a ping sweep, then a port scan when it finds a live host. If you have this worm you will also see high CPU utilization on your routers with no corresponding interface utilization.

It's also possible that there is a device which is spoofing the source address. Check your snort logs for the MAC address of the sending host and make sure that it matches your Dell box.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
This server is virus free according to McAfee's NetShield but I will do a re-check. Thank you also for the snort log suggestion. I am already expecting a copy of the logs.
 
Upvote 0 Downvote
I do tend to notice a lot of packets being sent and received by the server but I attributed that to AD related communications between the server and the 180 machines in the domain. I tried scanning with EtherPeek but I saw nothing that alarmed me.
 
Upvote 0 Downvote
Also, make sure that your IDS guy isn't confusing a TCP SYN flood with a port scan. I've seen windows boxes excite firewalls and IDS's with half open TCP connections.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Thanks for your help. I'm really anxious to see the "snort" logs.
 
Upvote 0 Downvote
You could also download Ethereal and do some packet capturing to see what is going happening on you network. I use ethereal often to make sure my network doesnt have anything unusual going around. You can use ethereal to listen just to your suspect server's IP address to help narrow things down.

Good luck.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
524
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
701
Aquiles Vidal
Aquiles Vidal
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
788
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
919
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
543
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top