• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Campus Network Security Issue

W

whalen

Golden Member
Ok, here's the deal. I'm on campus at Purdue, and I'm hooked into the Resnet service here. I've got ZoneAlarm running just in case some fool tries to show off his mad h4x0r skills on my system. Anyway, i'm noticing a particular IP address CONSTANTLY scanning ports on my system. Not just a few times....i'm talking about a week now of 500+ alerts on Zonealarm. About 80-90% are from this particular IP addy. I did notice a couple days ago quite a number of scans on port 139...which tells me something is up. Spidey, i know you worked for PUCC at one time, so maybe you can give me some feedback. I've found out which port he's plugged into here at owen hall, but don't know exactly where it would be located at...anyway, please let me know if i'm just being paranoid 🙂
 


<< Ok, here's the deal. I'm on campus at Purdue, and I'm hooked into the Resnet service here. I've got ZoneAlarm running just in case some fool tries to show off his mad h4x0r skills on my system. Anyway, i'm noticing a particular IP address CONSTANTLY scanning ports on my system. Not just a few times....i'm talking about a week now of 500+ alerts on Zonealarm. About 80-90% are from this particular IP addy. I did notice a couple days ago quite a number of scans on port 139...which tells me something is up. Spidey, i know you worked for PUCC at one time, so maybe you can give me some feedback. I've found out which port he's plugged into here at owen hall, but don't know exactly where it would be located at...anyway, please let me know if i'm just being paranoid 🙂 >>



if i'm not wrong port 139 is for microsoft file and printer sharing. correct me if i'm wrong. just don't bind the nic u use with file and printer sharing and u should be fine. zone alarm is also a plus..

cheers
 
Thanks....yeah, from what i know, thats what 139 is for. I'm pretty sure my system is secure, its just the thought of someone constantly scanning ports on the network that makes me mad. Not everyone has a firewall and NT system.
 
Ports get scanned. It happens constantly. Get over it. If you really need to do something, report it. That is about all you can do. Im sure nothing will happen, but without breaking/bending the law/rules that is about all you can do (well you can blacklist him too).
 
PUCC has this thing about ignoring my email 🙂 Seriously though n0c, i know ports get scanned constantly, and i'm not worried about my system, I'm just pissed that some idiot is even trying this, and is being so arrogant as to scan ALL DAY LONG. My freaking Zone Alarm logs get filled at about 4:00pm each day. I'll try to report it to PUCC again, but I don't have much hope for that.
 


<< PUCC has this thing about ignoring my email 🙂 Seriously though n0c, i know ports get scanned constantly, and i'm not worried about my system, I'm just pissed that some idiot is even trying this, and is being so arrogant as to scan ALL DAY LONG. My freaking Zone Alarm logs get filled at about 4:00pm each day. I'll try to report it to PUCC again, but I don't have much hope for that. >>



I used to get a little riled up about it, but damnit if I kept doing that Id have a heart attack or something. Scan them back. If they stop they have noticed your scans and realize you know what is going on. If they continue they either do not pay attention to their security or have been cracked. But make sure you email whoever is in charge, repeatedly if need be. The machine that is scanning you could just be another cracked box...
 
Thanks guys. I don't think i'll be scanning though, because with my luck, i'll be the one that gets busted. 😉
 
flood him with broadcast or multicast frames or IP fragments or SYNs or SMURFs, or, or, or, or. i'll keep quiet now. 🙂
 


<< flood him with broadcast or multicast frames or IP fragments or SYNs or SMURFs, or, or, or, or. i'll keep quiet now. 🙂 >>



Boink!
 
Are you sure this is malicious? He could just have a bad subnet mask on his PC and could be broadcasting netbios queries across the network accidentally. There's a lot of stuff like that which can happen. If he's ONLY hitting port 139 it's probably not a port scan. Now, if he was nailing you all over the place, then..

If you know the guy, or know what kind of guy he is, just knock on his door and ask him what's up. Chances are it's something dumb and he has NO CLUE what's going on.

With ZoneAlarm, can you set it to ignore a certain IP or block all traffic from him? I seem to recall you could do that with BlackIce.

- G
 
No, they are all over the place, usually in a sequence...the 139's all happened in like a 5 min period one day, not every day...I emailed PUCC, and they said that they would notifiy him to run a virus check on his system...they must think its a code red type thing.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top