Topic: Port scanning on internal network - what could it be?

[judgej]

I have just plugged a PC into my local network, installed Zonealarm, and am getting something I've never seen before. There appears to be a constent stream of port scans coming from my SME server - scanning from port 1000 upwards, at a rate of about two each second and running upwards sequentially.

Is there anything that should be doing this? It only seems to be happening to one machine on my network, and by chance that machine is using a dynamic IP address (the others are fixed).

Any ideas whether this is something I should be worried about? I have tried installing Clam AV on the server a short time ago, but I couldn't get it to work. Could it be something to do with that?

-- JJ

[exodus]

My server Got rooted, the day before I noticed I got an email from my ISP saying that I was portscanning and needed to stop.  This may be your problem.  I reinstalled to a fresh drive just to make sure it was gone.

[Anonymous]

My server Got rooted...

I was afraid something like this had happened, and I really don't know how to find out. There do not seem to be any decent virus/trojan scanners I can use from the command line. All the anti-virus packages seem to need a lot of packages updated and files configured. Are there any command-line virus scanners for Linux, that will check all my files for me?

-- JJ

[Anonymous]

Command AV works just great on the command line.

Only need to download and install two packages.

Not sure, but I think they have a 30 day fully featured trial?

www.command.co.uk

[RonM]

McAfee VirusScan Command Line Scanner for Linux should work also. One file to install and it should do a full deep system scan as the last step in the install (this could take a while They do want you to jump through some hoops on the website, though.

If you want to use it...

http://www.nai.com/us/downloads/evals/
click on the TRY link by the title 'bout 3/4 page down.

save it to an ibay, it's a ~.tar.z file
nav to dir
type zcat <distribution file> | tar -xf -
type: ./install -uvscan
answer y to a few questions
sit back

You may not have a virus, though. Good Luck!

[Anonymous]

Thanks everyone for your suggestions - I'll try them all out.

You are right - it may not be a virus. It could just be something that happens when a new machine is connected to a DHCP network, or another machine spoofing IPs - I just don't know.

[Anonymous]

McAfee VirusScan Command Line Scanner for Linux should work also

I have scanned the entire system, and it did come up with a handful of viruses, but they were all Windows viruses in the various mail folders. I'm very impressed that the McAfee scanner was able to recognise and dive into the e-mail files on the filesystem, decode the attachments and find the viruses. Thanks for that suggestion - I would never have found that command-line scanner myself, as it is well hidden.

This still leaves me with the original mystery - what was scanning several thousand ports on my internal network, and perporting to come from my SME server and gateway box?

-- Jason

[boringgit]

You could try installing Snort and Guardian as per the howto

http://no.longer.valid/mylinks/visit.php?cid=104&lid=49

I just did and have not actually found anything too untoward - provides some peace of mind though

(I chose to install the latest version of Snort from www.snort.org but guardian from the above howto - saw some exploits in older versions of snort, so latest seemed best)

[wyron]

Hi, Boringgit
What server version are you running ?
The contrib mentions only versions 5.0 to 5.6 inclusive.

[Anonymous]

Hi, Boringgit
What server version are you running ?

I'm running 5.1.2, but with all RPM updates listed in the various security announcements. I'll have to upgrade soon, but it's finding the time to do the upgrade (setting it up initially was very time consuming, as I had to tweak drivers etc for the server - a Compaq Prosignia 740 - I am just not looking forward to upgrading).

-- Jason