Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 4643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to determine source of internal port scans

jmadren
Our main Windows 2003 server has always generated a occasional port scans against the firewall.  That's fine - I don't want to exclude it in case some kind of malware infects the server.

The problem is we started getting lots of port scan warnings with this server being the source.  So something has started running on that server that is port scanning the firewall.  But I don't know how to determine what is doing it.  I don't see anything out of the ordinary running on the server, and we haven't made any changes or installed anything new on the server.

So the question is, how do we track down what is performing these port scans?

Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    Start with making a note of the source port of the scan... then use any of the process info tools out there (netstat -ao will give you a pid on a specific port) on the Windows server to see what process is causing it... that should give you enough info to figure it out.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Or netstat -b will give you the name of the running app that opened the port.
  • 0 in reply to eganders_01
    Thanks guys.

    I've been using netstat to try to capture what could be performing the port scan against the firewall, when it's happening.  So far, I haven't found any correlation.  Is it possible that something else on our network is spoofing the ip address of this server?  If so, how would you find it?
Reply
  • 0 in reply to eganders_01
    Thanks guys.

    I've been using netstat to try to capture what could be performing the port scan against the firewall, when it's happening.  So far, I haven't found any correlation.  Is it possible that something else on our network is spoofing the ip address of this server?  If so, how would you find it?
Children
Cookie Information Banner