port scanning question
hey fellow crime stoppers,
i just received word from our isp that someone or some "thing" has been up to no good through the use of one of our ip addresses. the ip in question belongs to one of our macs running os 10.3 and is strictly being used as a designer's work station. i've included email that i received from our provider, hoping it may shed some light on the situation, as i am not all that savy in regards to these types of things. anyone have any ideas as to where i should begin? Thanks mucho.
i just received word from our isp that someone or some "thing" has been up to no good through the use of one of our ip addresses. the ip in question belongs to one of our macs running os 10.3 and is strictly being used as a designer's work station. i've included email that i received from our provider, hoping it may shed some light on the situation, as i am not all that savy in regards to these types of things. anyone have any ideas as to where i should begin? Thanks mucho.
Quote:
Customer - X
1st Notice of Port Scanning Violation:
I am with Cbeyond Communications, your communications services provider.
I am sending you this email to inform you about a problem that exists on
your network.
It has come to our attention that port scans from your network have been
detected by other companies. These port scans are originating from the
computer on your company's network identified by the IP address of
xx.xx.xx.xx. (edited by me to protect the innocent) These port scans could be due to a virus on your network,
or from someone outside of your network who is using the above mentioned
IP address to initiate these attacks.
This is a direct violation of Cbeyond's Acceptable Use policy and it
needs to be corrected immediately. We highly recommend that you contact
your LAN (computer network) vendor to work on repairing this situation.
In addition, to assist you with the resolution of this matter, we have
included the log information from the report we've received.
Please work to resolve this matter at your earliest convenience as
Cbeyond will be forced to take appropriate action if this situation
continues. Violations of Cbeyond's Acceptable Use Policy can result in
early termination of your Cbeyond service and early termination charges
will apply.
Thank you for your attention to this matter.
Cbeyond Technical Support
Abuse Case Details:
Contact information removed by policy.
216.129.4.xxx on the xxx Canada Limited firewall has been attacked by
xx.xx.xx.xx. We have temporarily disabled access for xx.xx.xx.xx
through this firewall device.
Firewall Log:
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Time - 08-19-2004 07:45:07 GMT -5
Device - X.X.X.X
Source IP - xx.xx.xx.xx
Destination IP - 216.129.4.xxx
Firewall IDS Code - PIX-4-400028
Additional Information - IDS:3042 TCP FIN only flags from 69.15.16.146
to 216.129.4.xxx on interface outside
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Customer - X
1st Notice of Port Scanning Violation:
I am with Cbeyond Communications, your communications services provider.
I am sending you this email to inform you about a problem that exists on
your network.
It has come to our attention that port scans from your network have been
detected by other companies. These port scans are originating from the
computer on your company's network identified by the IP address of
xx.xx.xx.xx. (edited by me to protect the innocent) These port scans could be due to a virus on your network,
or from someone outside of your network who is using the above mentioned
IP address to initiate these attacks.
This is a direct violation of Cbeyond's Acceptable Use policy and it
needs to be corrected immediately. We highly recommend that you contact
your LAN (computer network) vendor to work on repairing this situation.
In addition, to assist you with the resolution of this matter, we have
included the log information from the report we've received.
Please work to resolve this matter at your earliest convenience as
Cbeyond will be forced to take appropriate action if this situation
continues. Violations of Cbeyond's Acceptable Use Policy can result in
early termination of your Cbeyond service and early termination charges
will apply.
Thank you for your attention to this matter.
Cbeyond Technical Support
Abuse Case Details:
Contact information removed by policy.
216.129.4.xxx on the xxx Canada Limited firewall has been attacked by
xx.xx.xx.xx. We have temporarily disabled access for xx.xx.xx.xx
through this firewall device.
Firewall Log:
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Time - 08-19-2004 07:45:07 GMT -5
Device - X.X.X.X
Source IP - xx.xx.xx.xx
Destination IP - 216.129.4.xxx
Firewall IDS Code - PIX-4-400028
Additional Information - IDS:3042 TCP FIN only flags from 69.15.16.146
to 216.129.4.xxx on interface outside
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Comments
I'd install something like Little Snitch - it makes the user aware of each and every attempt to use the network, displaying app, port, service, etc, and asking the user for confirmation. It'll let you know if there really is something initiating scans from that box.
My guess? Someone elsewhere is spoofing an IP in your pool.
You could take the box offline completely for a while, and let your ISP know that. Any further scans from that IP would then be known to be spoofed only.
Originally posted by Kickaha
Well, spoofing an IP address is trivial.
I'd install something like Little Snitch - it makes the user aware of each and every attempt to use the network, displaying app, port, service, etc, and asking the user for confirmation. It'll let you know if there really is something initiating scans from that box.
My guess? Someone elsewhere is spoofing an IP in your pool.
You could take the box offline completely for a while, and let your ISP know that. Any further scans from that IP would then be known to be spoofed only.
thanks for the reply kickaha,
i installed little snitch shortly before posting. cute and useful little fella that app is. i didn't notice anything nefarious going on, but then again i've been real busy and that's not my mac. i also enabled os X's built in firewall, just to be on the safe side.
any who, could you go into more detail about IP spoofing? what is it and how does one go about it? anything we can do to prevent it? thanks, i'll take my answer of the air.
Internet packets have a 'from' header that includes the IP of the originating computer. In theory. You can change this to whatever you want, if you have the right sneaky tools. It's highly HIGHLY frowned upon.
It's no more blockable than you can keep anyone in the world from writing your address on the return address portion of an envelope and mailing it.
Your ISP should be looking at traffic from that IP now, and if it happens again, you'll have confirmation that it's coming from *that* computer. But I doubt it... I suspect it's much more likely to simply be a spoofer out there.
Originally posted by running with scissors
any who, could you go into more detail about IP spoofing? what is it and how does one go about it? anything we can do to prevent it? thanks, i'll take my answer of the air.
IP spoofing is manipulating ip and tcp header information.
There a are couple of variancies. I remember that disabling rlogin used to fixed alot of earlier ip spoofing problems.
DOS attacks commonly involve ip spoofing.
Network scanning also involves it.
To do ip spoofing you need to understand ip and tcp packet structure and layer3/layer4 transportation methods.
I can recommend Ciscos TCP/IP book as an excellent reference.
Encryption will generally stop any ip spoofing (firewalls can only reduce it).
Dobby.