need help against a port scan!

[mcveigh]

some SOB has been port scanning my companies external IP since 11:16AM and he's still doing it. Our firewall is a zywall10, so far it's blocked everyone except this one.


No. Time Packet Information Reason Action
1|Jun 18 02 |From:192.168.1.18 To:208.243.115.240 |default policy |forward
| 16:05:31 |TCP src port:01050 dest port:00080 |<1,00> |
End of Firewall Log

what port uses 1050??

BTW I think I think someones computer is hacked b/c if you plug that source ip into a web browser

http://208.243.115.240/
his whole directory is there.

any ideas on how to contact an ip address?

 

[netsysadmin]

Have you tryed calling your ISP and reporting this loser

here is the port info from snort.org:

Port 1050 info

 

[mcveigh]

good idea.

I called them and will be emailing them my logs, thanks.

I'd like to figure out who is behind that machine at the ip address because I think it's been compromised.

 

[n0cmonkey]

No. Time Packet Information Reason Action
1|Jun 18 02 |


Source of the scan? From:192.168.1.18

Your company's firewall? Webserver? To:208.243.115.240

protocol TCP

His port src port:01050

Where he is going dest port:00080

So unless Im reading your firewall logs wrong (which could be the case since they are *REALLY* ugly ), this look slike he is going to a webserver on your network.

 

[mcveigh]

allmost all of his scans had a destination of port 80, I'm not sure if that is something with my firewall or what.

edit:
n0c are you saying the destination of these scans was 208.243.115.240?

that is definately not my address, so I ASSume that it's the attackers, am I wrong? I guess he could be forwarding it through a proxy?

 

[mcveigh]

nmap -sT -p 1-8000 -PT -l -v 208.243.115.240

Starting nmap V. 2.54BETA33 ( www.insecure.org/nmap/ )
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Interesting ports on (208.243.115.240):
(The 7987 ports scanned but not shown below are in state: closed)

Port State Service Owner
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp filtered http
111/tcp open sunrpc
544/tcp open kshell
2105/tcp open eklogin
4120/tcp open unknown
4121/tcp open unknown
4122/tcp open unknown
7937/tcp open unknown
7938/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 78 seconds

 

[n0cmonkey]

Originally posted by: mcveigh
allmost all of his scans had a destination of port 80, I'm not sure if that is something with my firewall or what.

edit:
n0c are you saying the destination of these scans was 208.243.115.240?

that is definately not my address, so I ASSume that it's the attackers, am I wrong? I guess he could be forwarding it through a proxy?

It looks to me like the destination of these "scans" is the 208 address. It looks like someone is going from port 1050 on an internal machine (normal so far) and going to port 80 on his machine. So what really is this firewall alarming on? I dont see any wierd traffic so far. And nmapping machines out there isnt nice.

 

[mcveigh]

Originally posted by: n0cmonkey

Originally posted by: mcveigh
allmost all of his scans had a destination of port 80, I'm not sure if that is something with my firewall or what.

edit:
n0c are you saying the destination of these scans was 208.243.115.240?

that is definately not my address, so I ASSume that it's the attackers, am I wrong? I guess he could be forwarding it through a proxy?

It looks to me like the destination of these "scans" is the 208 address. It looks like someone is going from port 1050 on an internal machine (normal so far) and going to port 80 on his machine. So what really is this firewall alarming on? I dont see any wierd traffic so far. And nmapping machines out there isnt nice.

OK, i'm not used to reading a lot of logs, I went to the machine in question. the person who uses it is only there part time, I found no unusual processes running, it 's windowsXP pro BTW, ( I won't claim to be an expert on windows processes)
no unusual, programs installed, and it had a full virus scan the night before.

I don't feel my network is in danger, i'd just like to know more about how this was happening.

 

[n0cmonkey]

Originally posted by: mcveigh

Originally posted by: n0cmonkey

Originally posted by: mcveigh
allmost all of his scans had a destination of port 80, I'm not sure if that is something with my firewall or what.

edit:
n0c are you saying the destination of these scans was 208.243.115.240?

that is definately not my address, so I ASSume that it's the attackers, am I wrong? I guess he could be forwarding it through a proxy?

It looks to me like the destination of these "scans" is the 208 address. It looks like someone is going from port 1050 on an internal machine (normal so far) and going to port 80 on his machine. So what really is this firewall alarming on? I dont see any wierd traffic so far. And nmapping machines out there isnt nice.

OK, i'm not used to reading a lot of logs, I went to the machine in question. the person who uses it is only there part time, I found no unusual processes running, it 's windowsXP pro BTW, ( I won't claim to be an expert on windows processes)
no unusual, programs installed, and it had a full virus scan the night before.

I don't feel my network is in danger, i'd just like to know more about how this was happening.

Port scans are a common occurrence. Dont worry about it too much, but check previous logs for the offending ip address. Also keep an eye on future logs for that ip address. If I get a chance Ill check my logs to see if I see anything.