Port Scan Attack

This is a multi-part message in MIME format.

------=_NextPart_000_0009_01C3A2C6.A1351220
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C3A2C6.A1375C10"

------=_NextPart_001_000A_01C3A2C6.A1375C10
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

BlankI found the following warning in my Event Viewer today:
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: Packet filter
Event ID: 15104
Date: 04/11/2003
Time: 00:51:37
User: N/A
Computer: SERVER
Description:
ISA Server detected a well-known port scan attack from Internet =
Protocol (IP) address 66.220.17.151. A well-known port is any port in =
the range of 1-2048. For more information about this event, see ISA =
Server Help.=20
Data:
0000: 1f 00 00 00 .... =20
I went through the ISA Server Help but could not follow the steps for =
blocking the IP address. I shall appreciate if someone can guide me how =
to block this IP Address.=20

Rajiv Khandelwal
------------------------------------
www.vardaan.net

------=_NextPart_001_000A_01C3A2C6.A1375C10
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE id=3DridTitle>Blank</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252"><BASE=20
href=3D"file://C:\Program Files\Common Files\Microsoft =
Shared\Stationery\">
<STYLE>BODY {
MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px; COLOR: #000000; =
FONT-FAMILY: Arial, Helvetica
}
P.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
LI.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
</STYLE>

<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR></HEAD>
<BODY id=3DridBody bgColor=3D#ffffff=20
background=3Dcid:000401c3a298$877a6520$0b10a8c0@Domain.com>
<DIV>I found the following warning in my Event Viewer today:</DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>Event Type: Warning<BR>Event Source: Microsoft ISA =
Server=20
Control<BR>Event Category: Packet filter<BR>Event=20
=
ID: 15104<BR>Date:  04/11/2003<BR>Time:  00:51:3=
7<BR>User:  N/A<BR>Computer: SERVER<BR>Description:<BR>ISA=
=20
Server detected a well-known port scan attack from Internet Protocol =
(IP)=20
address 66.220.17.151. A well-known port is any port in the range of =
1-2048.=20
For more information about this event, see ISA Server Help. =
<BR>Data:<BR>0000:=20
1f 00 00=20
=
00           &nbsp=
;  =20
....    </DIV></BLOCKQUOTE>
<DIV dir=3Dltr>I went through the ISA Server Help but could not follow =
the steps=20
for blocking the IP address. I shall appreciate if someone can guide me =
how to=20
block this IP Address. <BR><BR>Rajiv Khandelwal</DIV>
<DIV dir=3Dltr>------------------------------------<BR><A=20
href=3D"http://www.vardaan.net">www.vardaan.net</A></DIV>
<P> </P></BODY></HTML>

------=_NextPart_001_000A_01C3A2C6.A1375C10--

------=_NextPart_000_0009_01C3A2C6.A1351220
Content-Type: image/gif;
name="Blank Bkgrd.gif"
Content-Transfer-Encoding: base64
Content-ID: <000401c3a298$877a6520$0b10a8c0@Domain.com>

R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2
7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW
xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw==

------=_NextPart_000_0009_01C3A2C6.A1351220--

Scott
Tue Nov 04 01:23:20 CST 2003

This is a multi-part message in MIME format.

------=_NextPart_000_0171_01C3A261.783C48D0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0172_01C3A261.783C48D0"

------=_NextPart_001_0172_01C3A261.783C48D0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

BlankCheck the blockattacker.zip file download on =
http://www.isatools.org/. Sometimes these port scan warnings are =
detected under valid circumstances; for example, streaming video, web =
applications, etc. I've used this blocker tool and have had to go =
disable some packet filter rules it has created in order for some of ASP =
functions to work

HTH,
Scott
"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message =
news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl...
I found the following warning in my Event Viewer today:
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: Packet filter
Event ID: 15104
Date: 04/11/2003
Time: 00:51:37
User: N/A
Computer: SERVER
Description:
ISA Server detected a well-known port scan attack from Internet =
Protocol (IP) address 66.220.17.151. A well-known port is any port in =
the range of 1-2048. For more information about this event, see ISA =
Server Help.=20
Data:
0000: 1f 00 00 00 .... =20
I went through the ISA Server Help but could not follow the steps for =
blocking the IP address. I shall appreciate if someone can guide me how =
to block this IP Address.=20

Rajiv Khandelwal
------------------------------------
www.vardaan.net

------=_NextPart_001_0172_01C3A261.783C48D0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE id=3DridTitle>Blank</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252"><BASE=20
href=3D"file://C:\Program Files\Common Files\Microsoft =
Shared\Stationery\">
<STYLE>BODY {
MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px; COLOR: #000000; =
FONT-FAMILY: Arial, Helvetica
}
P.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
LI.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
</STYLE>

<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR></HEAD>
<BODY id=3DridBody bgColor=3D#ffffff=20
background=3Dcid:016c01c3a2a4$86566110$030aa8c0@eastsidecc.com>
<DIV>Check the blockattacker.zip file download on <A=20
href=3D"http://www.isatools.org/">http://www.isatools.org/</A>.  =
Sometimes=20
these port scan warnings are detected under valid circumstances; for =
example,=20
streaming video, web applications, etc.  I've used this blocker =
tool and=20
have had to go disable some packet filter rules it has created in order =
for some=20
of ASP functions to work</DIV>
<DIV> </DIV>
<DIV>HTH,</DIV>
<DIV>Scott</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rajiv Khandelwal, M. D." <<A=20
href=3D"mailto:rajiv@vardaan.net">rajiv@vardaan.net</A>> wrote in =
message <A=20
=
href=3D"news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl">news:%23ioReipoDHA.=
1884@TK2MSFTNGP09.phx.gbl</A>...</DIV>
<DIV>I found the following warning in my Event Viewer today:</DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>Event Type: Warning<BR>Event Source: Microsoft ISA =
Server=20
Control<BR>Event Category: Packet filter<BR>Event=20
=
ID: 15104<BR>Date:  04/11/2003<BR>Time:  00:51:3=
7<BR>User:  N/A<BR>Computer: SERVER<BR>Description:<BR>ISA=
=20
Server detected a well-known port scan attack from Internet Protocol =
(IP)=20
address 66.220.17.151. A well-known port is any port in the range of =
1-2048.=20
For more information about this event, see ISA Server Help.=20
<BR>Data:<BR>0000: 1f 00 00=20
=
00           &nbsp=
;  =20
....    </DIV></BLOCKQUOTE>
<DIV dir=3Dltr>I went through the ISA Server Help but could not follow =
the steps=20
for blocking the IP address. I shall appreciate if someone can guide =
me how to=20
block this IP Address. <BR><BR>Rajiv Khandelwal</DIV>
<DIV dir=3Dltr>------------------------------------<BR><A=20
href=3D"http://www.vardaan.net">www.vardaan.net</A></DIV>
<P> </P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_001_0172_01C3A261.783C48D0--

------=_NextPart_000_0171_01C3A261.783C48D0
Content-Type: image/gif;
name="Blank Bkgrd.gif"
Content-Transfer-Encoding: base64
Content-ID: <016c01c3a2a4$86566110$030aa8c0@eastsidecc.com>

R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2
7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW
xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw==

------=_NextPart_000_0171_01C3A261.783C48D0--

Mal
Thu Nov 06 01:17:45 CST 2003

This is a multi-part message in MIME format.

------=_NextPart_000_0046_01C3A479.21C23680
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0047_01C3A479.21C23680"

------=_NextPart_001_0047_01C3A479.21C23680
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

BlankNot sure blocking this IP is a valid response. A port scan is a =
basic check of what ports you have open, a hacker will typically scan =
thousands of IPs, until something of interest is located. Kinda like =
walking down the street looking to see who left thier car unlocked. You =
can expect these basic "pre attacks" to be a regular occurance. If you =
do not have a secure configuration, then there may be a more intensive =
probing soon after. Assuming that everything is locked down, Mr Hacker =
will probably never visit you again. Lots of "soft targets" out there.

Mal Osborne
MCSE MVP Mensa

"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message =
news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl...
I found the following warning in my Event Viewer today:
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: Packet filter
Event ID: 15104
Date: 04/11/2003
Time: 00:51:37
User: N/A
Computer: SERVER
Description:
ISA Server detected a well-known port scan attack from Internet =
Protocol (IP) address 66.220.17.151. A well-known port is any port in =
the range of 1-2048. For more information about this event, see ISA =
Server Help.=20
Data:
0000: 1f 00 00 00 .... =20
I went through the ISA Server Help but could not follow the steps for =
blocking the IP address. I shall appreciate if someone can guide me how =
to block this IP Address.=20

Rajiv Khandelwal
------------------------------------
www.vardaan.net

------=_NextPart_001_0047_01C3A479.21C23680
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE id=3DridTitle>Blank</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252"><BASE=20
href=3D"file://C:\Program Files\Common Files\Microsoft =
Shared\Stationery\">
<STYLE>BODY {
MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px; COLOR: #000000; =
FONT-FAMILY: Arial, Helvetica
}
P.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
LI.msoNormal {
MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
FONT-FAMILY: Helvetica, "Times New Roman"
}
</STYLE>

<META content=3D"MSHTML 6.00.2800.1226" name=3DGENERATOR></HEAD>
<BODY id=3DridBody bgColor=3D#ffffff=20
background=3Dcid:004101c3a436$13913ae0$0b82820a@silverfern.local>
<DIV>Not sure blocking this IP is a valid response.  A port scan is =
a basic=20
check of what ports you have open, a hacker will typically scan =
thousands of=20
IPs, until something of interest is located.  Kinda like walking =
down the=20
street looking to see who left thier car unlocked.  You can expect =
these=20
basic "pre attacks" to be a regular occurance.  If you do not =
have a=20
secure configuration, then there may be a more intensive probing soon=20
after.  Assuming that everything is locked down, Mr Hacker will =
probably=20
never visit you again.  Lots of "soft targets" out there.</DIV>
<DIV> </DIV>
<DIV>Mal Osborne</DIV>
<DIV>MCSE MVP Mensa</DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rajiv Khandelwal, M. D." <<A=20
href=3D"mailto:rajiv@vardaan.net">rajiv@vardaan.net</A>> wrote in =
message <A=20
=
href=3D"news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl">news:%23ioReipoDHA.=
1884@TK2MSFTNGP09.phx.gbl</A>...</DIV>
<DIV>I found the following warning in my Event Viewer today:</DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>Event Type: Warning<BR>Event Source: Microsoft ISA =
Server=20
Control<BR>Event Category: Packet filter<BR>Event=20
=
ID: 15104<BR>Date:  04/11/2003<BR>Time:  00:51:3=
7<BR>User:  N/A<BR>Computer: SERVER<BR>Description:<BR>ISA=
=20
Server detected a well-known port scan attack from Internet Protocol =
(IP)=20
address 66.220.17.151. A well-known port is any port in the range of =
1-2048.=20
For more information about this event, see ISA Server Help.=20
<BR>Data:<BR>0000: 1f 00 00=20
=
00           &nbsp=
;  =20
....    </DIV></BLOCKQUOTE>
<DIV dir=3Dltr>I went through the ISA Server Help but could not follow =
the steps=20
for blocking the IP address. I shall appreciate if someone can guide =
me how to=20
block this IP Address. <BR><BR>Rajiv Khandelwal</DIV>
<DIV dir=3Dltr>------------------------------------<BR><A=20
href=3D"http://www.vardaan.net">www.vardaan.net</A></DIV>
<P> </P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_001_0047_01C3A479.21C23680--

------=_NextPart_000_0046_01C3A479.21C23680
Content-Type: image/gif;
name="Blank Bkgrd.gif"
Content-Transfer-Encoding: base64
Content-ID: <004101c3a436$13913ae0$0b82820a@silverfern.local>

R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2
7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW
xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw==

------=_NextPart_000_0046_01C3A479.21C23680--

Rajiv
Fri Nov 07 01:45:49 CST 2003

Thanks for the replies. It is good that the Firewall is doing its work but
do I need to make my server more secure and if yes, then how to go about
doing it?

Rajiv Khandelwal
alt. e-mail: khandelwalrajiv@hotmail.com
rekhakhandelwal@hotmail.com
------------------------------------
www.vardaan.net
"SuperGumby" <not@your.nellie> wrote in message
news:OaJukDFpDHA.3256@tk2msftngp13.phx.gbl...
> heck. most of these come from the one IP, I'm just glad the firewall is
> doing its job.
>
> --
> Who is this guy anyway?
> http://supergumby.dyndns.org
> and what is his opinion?
> http://imho.dyndns.org
> "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl...
> BlankI found the following warning in my Event Viewer today:
> Event Type: Warning
> Event Source: Microsoft ISA Server Control
> Event Category: Packet filter
> Event ID: 15104
> Date: 04/11/2003
> Time: 00:51:37
> User: N/A
> Computer: SERVER
> Description:
> ISA Server detected a well-known port scan attack from Internet Protocol
> (IP) address 66.220.17.151. A well-known port is any port in the range of
> 1-2048. For more information about this event, see ISA Server Help.
> Data:
> 0000: 1f 00 00 00 ....
> I went through the ISA Server Help but could not follow the steps for
> blocking the IP address. I shall appreciate if someone can guide me how to
> block this IP Address.
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
>
>
>
>

Scott
Fri Nov 07 14:28:30 CST 2003

Rajiv,

If the port scans are coming from a particular IP, then you can block an
incoming traffic from that IP. If this is the case and/or you are
interested in automating these tasks, I suggest you look at my previous post
regarding isatools.org.

Scott

"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
news:%23qG4BNQpDHA.688@TK2MSFTNGP10.phx.gbl...
> Thanks for the replies. It is good that the Firewall is doing its work but
> do I need to make my server more secure and if yes, then how to go about
> doing it?
>
> Rajiv Khandelwal
> alt. e-mail: khandelwalrajiv@hotmail.com
> rekhakhandelwal@hotmail.com
> ------------------------------------
> www.vardaan.net
> "SuperGumby" <not@your.nellie> wrote in message
> news:OaJukDFpDHA.3256@tk2msftngp13.phx.gbl...
> > heck. most of these come from the one IP, I'm just glad the firewall is
> > doing its job.
> >
> > --
> > Who is this guy anyway?
> > http://supergumby.dyndns.org
> > and what is his opinion?
> > http://imho.dyndns.org
> > "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> > news:%23ioReipoDHA.1884@TK2MSFTNGP09.phx.gbl...
> > BlankI found the following warning in my Event Viewer today:
> > Event Type: Warning
> > Event Source: Microsoft ISA Server Control
> > Event Category: Packet filter
> > Event ID: 15104
> > Date: 04/11/2003
> > Time: 00:51:37
> > User: N/A
> > Computer: SERVER
> > Description:
> > ISA Server detected a well-known port scan attack from Internet
Protocol
> > (IP) address 66.220.17.151. A well-known port is any port in the range
of
> > 1-2048. For more information about this event, see ISA Server Help.
> > Data:
> > 0000: 1f 00 00 00 ....
> > I went through the ISA Server Help but could not follow the steps for
> > blocking the IP address. I shall appreciate if someone can guide me how
to
> > block this IP Address.
> >
> > Rajiv Khandelwal
> > ------------------------------------
> > www.vardaan.net
> >
> >
> >
> >
>
>

Port Scan Attack

Re: Port Scan Attack by Scott

Re: Port Scan Attack by Mal

Re: Port Scan Attack by Rajiv

Re: Port Scan Attack by Scott