On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who this person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much.
If it's on your internal net, then talking to the network admins for your site should give you a good idea of where they're at and why they're doing it. If there's no network admin on site, then you'll have to do some footwork yourself. The suggestion to use IPTables to ignore data from that address is a good one if possible; you might even be able to track down the culprit when they suddenly can't access your system anymore and ask why. (Possible if it's a somehow compromised system on the internal network.) Another possibility is using host or nslookup if you've got internal nameservers behind whatever's running your NAT setup (I'm making the assumption that you're running NAT if you're on a private net.) If you happen to be the guy who's had Network admin position shoved upon you, then you can try getting a null route added to the router for your net connection at work and use that to see who complains about a sudden lack of net access too, but I'd definitely be careful of that method. =) -- George Metz Commercial Routing Engineer wolfstar@shadownet.wox.org "We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center