Results 1 to 4 of 4

Thread: port scan

  1. #1
    Join Date
    May 2002

    port scan

    Hi it's been a long time
    I have been working as a tech for a while now in a mom and pop computers store and we seem to be having a problem.
    wireless broadband 256m up 128m down
    linksys router with firewall and nat
    minimum 6 pc's and one file server, up to 15 pc's. if the store is busy
    the problem --port scans we have been getting scaned for weeks, nice and neat -port 1900 1901 1902 ect ect ect- if i shut down the router and reset the ip addy its good for a couple of hours but then its right back
    get this the addys they are coming from eds securtity desk, microsoft abuses desk, the white house secret service computer, and it goes on and on. I contacted eds and they were in fact hijacked have any of you seen the same problem?? is this wide spread or does some one want our lan ? thanks
    tired of being called an ass

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Hi oldguy,

    The keyword that comes to mind reading your post is *wireless*. You may want to cantenna your shop
    and see what this scan-O-hollic finds interesting about your network. Also head over to WiFi Maps and see
    if there is anything about your network, or your ISP listed there.

    As to the decoyed addresses, most modern port scanners worth using these days (e.g. Nmap ) have this ability.

    Best of luck to you.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  3. #3
    @ŞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    St. Petersburg, FL
    Spurious is right, you need to be more careful with wireless networks, many wireless systems have the ability to lower the transmission power, you only need it to be transmitted as far as necessary, The parking lot doesn't have to be covered.

    One last thing, there are Wi-Fi detectors out there for about $30 that will allow you to determine the presence of 802.11 networks, this can be used in conjuntion with the signal adjustments to contain the area of transmission easily.

    It is interesting that even after IP renewal the scans always come back...
    Real security doesn't come with an installer.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    I'm a little confused as to where you are being scanned...

    Are you being scanned on the WAN IP? Or on the internal LAN?

    If it is internal, then look for people around the shop sitting in cars etc. Does the router show who is connected to it? If so, look for MACs you don't know. Setup ACLs on the wireless router to only allow the MACs of the wireless cards you want to have access. Also, disable the broadcasting of the SSID and change the default name of the SSID to something that noboby will recognize. A random string of letters is what I use... so if someone finds it, they won't know that its the Law Firm at the corner of 2nd and Wallup... Don't forget to enable WEP and manually configure the workstations to point to the WAP and enter the key. If you do find that it is someone attacking your wireless network around you, and not from the WAN, then there are a couple things other than what I have already said that you can do. Look into a program called FakeAP .

    If one access point is good, 53,000 must be better.

    Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.
    Thats sure to throw them for a loop... at least for alittle while... there are ways to detect this, but confuse the hell out of them in the process.

    If you keep getting the scans on the WAN, and its the same person that keeps finding you, then they must have some way to find out when you change IP addresses. Whether they have installed a dynamic dns service that is set to update every couple of hours, or a smtp server that is mailing a message to the attacker with the new IP, a trojan connecting to an IRC server, or something of those lines.

    These are all ideas off the top of my head, but it can't hurt to check for them.

    D0pp139an93r and spurious_inode bring up good points about the w/less maps and your signal going to far. For all you know, it could be some punk in the store next to yours.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts