-
August 16th, 2003, 03:05 PM
#11
tcpdump is a good one. Ethereal is another good one.
Have you considered a NIDS like snort?
-
August 16th, 2003, 03:07 PM
#12
I've thougt about it before but have never really had the time. I think that I'm gonna go ahead and download it today though.
Thanks for all the help.
-
August 16th, 2003, 03:09 PM
#13
If you need help with snort there are lots of users around here that have used it. I believe that there is a short tut in one of the AO newsletters and somewhere in the tutorials as well. Also, they have extensive documentation on installing snort on your flavour of OS.
I recently upgraded my NIDS from Snort 2.0 to 2.0.1. But haven't turned it back on due to the blackout issues.
-
August 17th, 2003, 03:01 AM
#14
I finally got my linux system running, so I fired up nmap and scanned the IP address thats been scanning me.
I used the -sS and -O options.
Heres what nmap found
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-16 22:03 BST
Interesting ports on dns-lax.centurytel.net (207.xxx.xxx.xxx):
(The 1627 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
37/tcp open time
53/tcp open domain
79/tcp open finger
100/tcp open newacct
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
7100/tcp open font-service
Device type: general purpose
Running: Sun Solaris 8
OS details: Sun Solaris 8 early access beta through actual release
Uptime 79.257 days (since Thu May 29 15:54:47 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 48.810 seconds
After a whois search with sam spade it seems that this is my ISP. But I'm still confused as to how they are portscanning me.
I also did a portscan of my public IP. Heres the results from that
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-16 21:50 BST
Interesting ports on pppoe-209-xxx-xxx-xxx.rb.spt.centurytel.net (209.xxx.xxx.xxx):
(The 1642 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
113/tcp filtered auth
Device type: broadband router|WAP
Running: Cnet embedded, Linksys embedded
OS details: Cnet CNIG904B Internet Broadband Gateway firmware version 1.11, Linksys BEFW11S4 WAP or BEFSR41 router
Nmap run completed -- 1 IP address (1 host up) scanned in 14.091 seconds
I'm not to experienced with this part yet, so can anyone see anything strange from nmap scanning my Public IP or does it look ok?
-
August 17th, 2003, 03:52 AM
#15
Cheyenne, I forgot to mention earlier, your router may be performing a PAT as well as a NAT.
Some routers support this feature. The way this works is the 1st PC on inside LAN gets
statically NATTED and every subsequent PC will get PATTED with same public address
along with a random port number .
This will explain how it is possible of being scanned even though you have a private Ip address. Because your public address is always statically one-to-one natted to your private
address (the 1st PC that goes out).
Now Im not sure how or what you did when you yourself attempted to scan yourself from the outside and was unable to..
I suggest just for shits and giggles to have someone (afriend whom you trust) to scan your router to verify for sure...Im very curious to know results...
If you dont have a friend whom you trust,,,then you have a bigger problem,,,lol,,just kidding.
You can try and sign up for any free dial up ISPs and test...
As far as protocol analyzers. See the thread on sniffers for windows that is currently posted,,,
Alot available out there..Ethereal, analogx, etc....
My guess is that your router is performing a PAT as well as NAT and if you attempt to scan your rotuer again, you will find that you are able to..
Good Luck...
-
August 17th, 2003, 04:11 AM
#16
Heres what a friend found using Lan Guard Scanner
NETBIOS discovery ...
Done sending, waiting for responses ...
SNMP discovery ...
Community string : public
Done sending, waiting for responses ...
ICMP sweep ... (PING!)
Done sending, waiting for responses ...
Ready
No computers found.
Ready
Heres what I found using Net Brute scanner on a dial up connection
209.xxx.xxx.xxx # 25
209.xxx.xxx.xxx # 80
209.xxx.xxx.xxx # 81
209.xxx.xxx.xxx # 82
209.xxx.xxx.xxx # 83
209.xxx.xxx.xxx # 110
209.xxx.xxx.xxx # 119
However, when I used another scanner it showed no ports for my connection.
-
August 17th, 2003, 04:32 AM
#17
If you really want to put an end to this, turn on a "server" on your PC that was scanned.
Do it temporarely and turn of personal firewall on PC.
This could be http/80, telnet/23 or ftp/21 . Then try to connect from outside again as you did before with your friend but to one of the above applications...
If you connect, then you're router is definitely natting...
ex. if your public address is the 66.x.x.x and you have port 21 turned on your pc. FTP to 66.x.x.x from outside and see if you connect. Verify that you ftp to your PC and not your router..
P.S.
Your router could also be "buggy" which explains why sometimes you are able to scan and other times you are not..Very possible especially if your router is one of the off the beat shelf
appliance routers (Linksys, etc...)
You may want to entertain investing in a cisco 2501 serries router from ebay for about
$100-150 . It will server you 2 purposes, one you have a stable IOS and two you will be on your way learning how to configure a real router that is used in professional industry to help your career in IT industry....
-
August 17th, 2003, 04:39 AM
#18
I might try that cisco router.
Thanks for the help.
-
August 17th, 2003, 05:09 AM
#19
Member
THis thread has interested me, as I have had some similar happenings on my home network. In my Snort logs it will show a port scan, from a public IP, to my private IP 192.168.0.1. I have also noticed that some ICMP messages get to my computer as well. If somebody were to source route a scan would they be able to get traffic to my LAN?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|