Who is port scanning me?
Hi everyone, I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who this person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much. Thanks for your time. Matthew
On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who this person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much.
If it's on your internal net, then talking to the network admins for your site should give you a good idea of where they're at and why they're doing it. If there's no network admin on site, then you'll have to do some footwork yourself. The suggestion to use IPTables to ignore data from that address is a good one if possible; you might even be able to track down the culprit when they suddenly can't access your system anymore and ask why. (Possible if it's a somehow compromised system on the internal network.) Another possibility is using host or nslookup if you've got internal nameservers behind whatever's running your NAT setup (I'm making the assumption that you're running NAT if you're on a private net.) If you happen to be the guy who's had Network admin position shoved upon you, then you can try getting a null route added to the router for your net connection at work and use that to see who complains about a sudden lack of net access too, but I'd definitely be careful of that method. =) -- George Metz Commercial Routing Engineer wolfstar@shadownet.wox.org "We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center
On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who
and if it is a hacker???... what's the best way to send them back a little something to let them know you care??? dave goss ----- Original Message ----- From: "George Metz" <wolfstar@shadownet.wox.org> To: <wlug@mail.wlug.org> Sent: Sunday, June 23, 2002 12:49 AM Subject: Re: [Wlug] Who is port scanning me? this
person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much.
If it's on your internal net, then talking to the network admins for your site should give you a good idea of where they're at and why they're doing it.
If there's no network admin on site, then you'll have to do some footwork yourself. The suggestion to use IPTables to ignore data from that address is a good one if possible; you might even be able to track down the culprit when they suddenly can't access your system anymore and ask why. (Possible if it's a somehow compromised system on the internal network.)
Another possibility is using host or nslookup if you've got internal nameservers behind whatever's running your NAT setup (I'm making the assumption that you're running NAT if you're on a private net.)
If you happen to be the guy who's had Network admin position shoved upon you, then you can try getting a null route added to the router for your net connection at work and use that to see who complains about a sudden lack of net access too, but I'd definitely be careful of that method. =)
-- George Metz Commercial Routing Engineer wolfstar@shadownet.wox.org
"We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
try and hack them back???????? or just move on because it doesnt matter that much. in the real world that shit happens all the time -mike On Sunday 23 June 2002 08:42 am, David Goss wrote:
and if it is a hacker???... what's the best way to send them back a little something to let them know you care???
dave goss
----- Original Message ----- From: "George Metz" <wolfstar@shadownet.wox.org> To: <wlug@mail.wlug.org> Sent: Sunday, June 23, 2002 12:49 AM Subject: Re: [Wlug] Who is port scanning me?
On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who
this
person is, but don't know much outside of ping, traceroute, nslookup,
etc
.... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network,
so
most internet tools I don't think will help much.
If it's on your internal net, then talking to the network admins for your site should give you a good idea of where they're at and why they're doing it.
If there's no network admin on site, then you'll have to do some footwork yourself. The suggestion to use IPTables to ignore data from that address is a good one if possible; you might even be able to track down the culprit when they suddenly can't access your system anymore and ask why. (Possible if it's a somehow compromised system on the internal network.)
Another possibility is using host or nslookup if you've got internal nameservers behind whatever's running your NAT setup (I'm making the assumption that you're running NAT if you're on a private net.)
If you happen to be the guy who's had Network admin position shoved upon you, then you can try getting a null route added to the router for your net connection at work and use that to see who complains about a sudden lack of net access too, but I'd definitely be careful of that method. =)
-- George Metz Commercial Routing Engineer wolfstar@shadownet.wox.org
"We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Chances are the machine that is performing the portscan is hacked himself. It does no good to "hack them back" because your not hacking the hackers...your hacking the hack. :-) On top of that, you'll only cloud the issue and, if the matter is taken to the authorities, you could also get in trouble. Not to mention the entire concept of hacking without authorization is unethical and illegal. I'm going to go say its not worth it. This does happen constantly if your connected to the Internet. Your best offense is a good defense. Phil On Sun, 23 Jun 2002, Michael Frysinger wrote:
try and hack them back???????? or just move on because it doesnt matter that much. in the real world that shit happens all the time -mike
On Sunday 23 June 2002 08:42 am, David Goss wrote:
and if it is a hacker???... what's the best way to send them back a little something to let them know you care???
dave goss
----- Original Message ----- From: "George Metz" <wolfstar@shadownet.wox.org> To: <wlug@mail.wlug.org> Sent: Sunday, June 23, 2002 12:49 AM Subject: Re: [Wlug] Who is port scanning me?
On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who
this
person is, but don't know much outside of ping, traceroute, nslookup,
etc
.... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network,
so
most internet tools I don't think will help much.
If it's on your internal net, then talking to the network admins for your site should give you a good idea of where they're at and why they're doing it.
If there's no network admin on site, then you'll have to do some footwork yourself. The suggestion to use IPTables to ignore data from that address is a good one if possible; you might even be able to track down the culprit when they suddenly can't access your system anymore and ask why. (Possible if it's a somehow compromised system on the internal network.)
Another possibility is using host or nslookup if you've got internal nameservers behind whatever's running your NAT setup (I'm making the assumption that you're running NAT if you're on a private net.)
If you happen to be the guy who's had Network admin position shoved upon you, then you can try getting a null route added to the router for your net connection at work and use that to see who complains about a sudden lack of net access too, but I'd definitely be careful of that method. =)
-- George Metz Commercial Routing Engineer wolfstar@shadownet.wox.org
"We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Phil Deneault "We work in the dark, We do what we can, deneault@wpi.edu We give what we have. Our doubt is our passion, WPI NetOps and our passion is our task. The rest is the OpenVMS Guy maddness of art." - Henry James -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What I would try is setting up a firewall LOG chain in iptables. Have iptables default to closed/drop ports on a host. with the log chain you could see who is attempting to access the closed/drop ports. \ This would track the offending IP. IP adress fake? Not sure on that one. Should give you some usefull info though. On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who this person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much.
Thanks for your time.
Matthew
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø QOTD: "Like this rose, our love will wilt and die."
participants (6)
-
David Goss
-
George Metz
-
Karl Hiramoto
-
Michael Frysinger
-
Phillip G Deneault
-
Simoncini, Matthew