e-mail from university housing

[mitchafi]

Hello Mitchell,



This is the HITO/Rescomp Helpdesk and we have detected that your computer has been actively port scanning other computers. We are wondering if you were doing this voluntarily because this is a violation of your network agreement. We are simply warning you here, there is no punishment. Now this could be done by a virus or malware on your computer and if that is the case we will need you to run virus scan and send us the log files outlined here (https://neutralzone.housing.umich.edu/virusscan/). We will give you a week to respond or else we will have to treat this like a virus and block you from the network to ensure no further damage to other computers.



Thanks,

-HITO/Rescomp Helpdesk

I am definitely not doing this voluntarily...I'm going to run a virus scan as per the e-mail but I am wondering if there is anything that could be causing this besides some sort of virus/worm? I use uTorrent, play online games, and use x-link KAI to play xbox online all with relative frequency. Do any of these processes 'scan ports'?

Thanks,
Mitch

 

[Nothinman]

False positives are pretty common so there's a good chance that you don't have any malware. Since BT generally initiates a lot of connections it's possible they just saw the excessive connection traffic from uTorrent as port scanning. It's hard to guess without seeing the traffic logs.

 

[spidey07]

But active scanning is a pretty rock solid signiture and easily recognized by most all security devices.

So I"m thinking it is worm/virus or he got hacked and somebody is using his machine for investigation activities.

 

[Nothinman]

I'd still want to see the logs so could determine if it really was something that I initiated or not.

 

[mitchafi]

Well I sent them the log of the virus scan they requested, but I don't have any viruses so I am still a little worried...is there anything I can do myself to attempt to figure out why my machine is port scanning against my will?

 

[spidey07]

load up Ethereal (now called wireshark).

Send the trace file to them.

Don't be too concerned. It could be an honest mistake, or you really are actively scanning and don't know it (happens all the time).

Their reaction is normal - heavy scanning can exhaust network resources. Or just call them and say "hey, can you come out here and take a look?"

 

[mitchafi]

Originally posted by: spidey07
load up Ethereal (now called wireshark).

Send the trace file to them.

Don't be too concerned. It could be an honest mistake, or you really are actively scanning and don't know it (happens all the time).

Their reaction is normal - heavy scanning can exhaust network resources. Or just call them and say "hey, can you come out here and take a look?"

The directions for this thing are pretty complex, will I be ok just going to capture options, picking my NIC and using the default options? Also, how long do I need to capture for?

 

[nweaver]

turn off your IM programs, close all open apps and anything that accesses the network, then you should run it for an hour or two idle, shouldn't see much traffic (general background noise. you could add a filter to access it from ONLY your IP, but if they are spoofing your host IP (possible) then that might not catch it. Send that to them, (depending on traffic, it may be a bit large) and see what they can find.

 

[mitchafi]

Originally posted by: nweaver
turn off your IM programs, close all open apps and anything that accesses the network, then you should run it for an hour or two idle, shouldn't see much traffic (general background noise. you could add a filter to access it from ONLY your IP, but if they are spoofing your host IP (possible) then that might not catch it. Send that to them, (depending on traffic, it may be a bit large) and see what they can find.

ok, so I made the log, now where exactly do I send it...do I need 0to get on one of their mailing lists?

Thanks,
Mitch