Re: Am I really being probed ?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Gary D" <gary@xxxxxxxxxxxxxxxx>
• Date: Thu, 27 Apr 2006 11:17:15 +0100

---

Thanks for replies !

What alarmed me was that the report indicated the port scan was coming from
the 2nd NIC in the system. Not a truly external source. GRC.COMs address
appeared correctly when I ran a scan from there !

I will monitor, thanks anyway






"Nathan Thomas Sr" <nathan_nospam_@xxxxxxxxx> wrote in message
news:eTVJFLTaGHA.5000@xxxxxxxxxxxxxxxxxxxxxxx

To be clear...
You told a website to port scan your external nic, and now you're
worried that the GRC.Com IP is port scanning you? Or are you getting
reports of other IP's scanning you?

If you have an external connection with a 24/7 data pipe, get used to
it. You can either fix the problm, or ignore/disable that portion of
logging.

I'm not too familiar with ISA since I don't use it, but my linux
firewall box frequently reports things that might appear strange at
first, but are legit hits from my ISPs' dns servers and whatnot.
If it's the same ip or even the same range of ip's, I'm sure ISA can
block the range. Again, not entirely sure if ISA can do this, but I'm
sure someone will chime in if it can, but it'd be worthwhile to block
all asian ip ranges if you're in the US and have no business in that area.

Gary D wrote:

I am periodically getting the following message on my 2 NIC sbs2000
system.
The alarming thing is that the IP address (shown below as X's) is the IP
address of my external NIC. I used GRC.COM to do a legitimate port probe
and
ISA correctly reported their IP as the scanner. Do I have a configuration
problem ? My TREND CSMS v3 reports no problems. Help !!!!


ISA Server detected a well-known port scan attack from Internet Protocol
(IP) address xxx.xxx.xxx.xxx. A well-known port is any port in the range
of
1-2048. For more information about this event, see ISA Server Help.

Thanks in advance for any advice, Gary D

.

---

• References:
  • Am I really being probed ?
    • From: Gary D
  • Re: Am I really being probed ?
    • From: Nathan Thomas Sr

• Prev by Date: RE: html becomes attachment in exchange 2003
• Next by Date: RE: Flash Local Storage Settings
• Previous by thread: Re: Am I really being probed ?
• Next by thread: RE: Defragmenting Windows 2003 SBS
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Trying to understand this behavior, Ports in IIS ... That tells me the ISA server was accepting the connections. ... assign port 8080. ... In the border router and in the PIX firewall (both devices are "in front of" ... (microsoft.public.inetserver.iis.security) Re: ServU-deamon trojan warning with McAfee ... connection is free, any significant change in your usage is an indicator ... ISA has reporting features, the reports are ... > program has a port scanner, proxy analyser, whois, trace route, etc. ... (microsoft.public.backoffice.smallbiz2000) Re: open port in isa 2004 ? ... I understand that you want to know how to open port ... Open the ISA 2004 management console. ... then select the protocol (if the protocol does not exist, ... How to configure networks in ISA Server 2004 ... (microsoft.public.windows.server.sbs) RE: HOW DO I ACCESS ISA SERVER in SBS Premium 2003 ... Without ISA, you can configure RRAS to do port forwarding. ... Publishing a SQL Server Computer with ISA Server 2004 ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: Server suddenly "isolates" itself from the network ... suspicion is ISA, but I suppose it could be the 4-port NIC as well. ... ISA Server detected a port scan attack from Internet Protocol ... Server configuration are applied after ISA Server exits lockdown ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-04