Track a Port Scan

Toggle sidebar Toggle sidebar
T

Tarrant64

Diamond Member
Sep 20, 2004
3,203
0
76
Here's the problem in a nutshell.

SQL server has been hacked a few times. Viruses were found on a couple of the servers, quickly contained and a couple of the servers even had to be rebuilt. Everything was fine for a couple weeks.

SQL server gets hacked again. Files added, etc. to the filesystem. Did some checking into shared sessions on the SQL server, and whalla, a couple PC's on the network have had a constant connection all day. I know there is a difference though between a use accessing certain resources in a database let's say, and a user that is making a connection for no apparent reason. (Programmers etc working on database are of course going to show up).

Using some new TNT software/appliances checked out the machines, and they are doing a constant port scan.

OK, done the work to check out odd connections. Problem now:

It's port scanning, how the hell do I make it stop?

Virus scan - Check
Spyware - Check
Windows Updates - Check

I am wondering what the next step is to locate a port scanner or some kind of hack that would cause a machine to port scan.


TIA
 
J

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
Originally posted by: Tarrant64
quickly contained and a couple of the servers even had to be rebuilt.
Click to expand...
contained according to what, a virus scan? ALL of the servers should have bee rebuilt.

if you believe any machine, be it server or workstation, has been compromised you need to take it off the network and completely re-format / image it.

deleting the added files, running a virus scan, and crossing your finger IS NOT sufficient. there is no way to know for sure if it's clean or not. most hackers when gaining access to a system will implement backdoors for future purposes. always play it safe...
 
T

Tarrant64

Diamond Member
Sep 20, 2004
3,203
0
76
Originally posted by: jlazzaro
Originally posted by: Tarrant64
quickly contained and a couple of the servers even had to be rebuilt.
Click to expand...
contained according to what, a virus scan? ALL of the servers should have bee rebuilt.
if you believe any machine, be it server or workstation, has been compromised you need to take it off the network and completely re-format / image it.

deleting the added files, running a virus scan, and crossing your finger IS NOT sufficient. there is no way to know for sure if it's clean or not. most hackers when gaining access to a system will implement backdoors for future purposes. always play it safe...
Click to expand...

The servers that were infected were rebuilt. None of the other ones were having problems but were taken off the network anyways until everything was rebuilt. Once put back on everything was fine.

It's other workstations on the network right now that seem to be causing the problems, not the servers.

The SQL Server was one that was rebuilt.



Let me add some more information as well. When we were getting hacked the first time, it looked to be SQL injection attacks, and data was getting hacked on our website. Had to do a few restores on that too. Anyways, this was from a constat defacing from 'Turkish Hackers'.

The latest ones from this week were from some chinese/japanese site.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom