Ok, I have an interesting problem/dilema facing me, apparaently my computer (call it client1 as I don't wish to divulge my true name which is my computer name) has been hittiing bailey.cs.uop.edu with some kind of net bios scan, then 12 TCP packets on a port probe, then 14 UDP packets on a UDP port probe. This is according to the administrator of bailey.cs.uop.edu who is now regarding me as a malicous hacker (although what one can do with that few number of packets I have no idea).
So I'm trying to figure out what the frick is scanning bailey.cs.uop.edu from client1 -- Sunday night in an attempt to avoid going to the comp sci lab I was trying to get to my profile which was actually on a different server but I thought it was on bailey.* ---
so two days later I'm working at the computer center and the network guys come out of the back and show me a report from the CS administrator about me "attacking" the server......although how 14 packets is really an attack I don't know, but the CS guy is making a HUGE deal out of it.
So i've been through my computer a million and a half times and can't find any exploits or other problems, flushed the stacks and net bios registers, and dug through my netsh stack manually looking for anything that might have some clue.
So I finally stumbled upon my printers, we used to have a printer attached to bailey.cs.uop.edu, but now it is attached to another system, my computer, client1, only h as network printers mapped on it (of which I have since deleted the bailey printer).
I'm hoping that this might have been why these netbios, TCP and UDP port scans with a few packets might be occurring and only once every few hours. So i'm guessing that my computer, when trying to see what printers it has available to it, was trying to look for a printer on bailey via netbios, then would look for it on a TCP and UDP port. Does this make sense that it would do this?
Its W2k with a 3com NIC, and everything is running over our NAT"d LAN at here at UOP so everything is by 10.10.* addressing which is why they traced it to me so easily. I'm trying to get to the bottom of this and looking for directions.
The CS admin is out until Tuesday or so so I won't know if this was the problem, but till I can find out for sure when he gets the firewall logs, i'm just looking for other ideas.
From granola land:
TheLeftCoastSux
"Attacking" with 14 Packets
Moderators: Big-O Ryan, Big-O Mark, Matt, jester22c
-
TheLeftCoastSux
- Just Registered
- Posts: 4
- Joined: Sat Jan 11, 2003 12:00 pm
- Location: Land of Fruits, Nuts, and Flakes
- Contact:
That old printer installation sounds like the best bet to me. However being set up on a mesh network like yours there are numerous reasons why your computer could be accessing that address. Windows is very unintelligible in the sense that if you look for something somewhere once, and it's not there... instead of remembering that it wasn't there, it remembers where you looked last. This can be true for anything from files to security profiles and permissions lists, to program listings, to hardware.. you name it. So if your computer used to connect to that given address for a file/device etc it could very well be recursively trying to connect there now that that file/device is no longer there. Windows networking is very persistent, I will definately give it that. As to that CS admin... if he is worried about 14 packets, then either he thinks you are extremely intelligent or he is very stupid, perhaps a combination of both. To "hack" (crack) anything with 14 packets is quite phenomenal IMO and if you manage to do it or hear of anyone doing such please let me know. I want to shake the guys hand. My guess is he is just the paranoid conspiracy theory type that read some article on college kids posing as a major security risk to their school networks and is taking that as gospel to every kid that logs on. The rudundancy itself of the transfers should show him that you yourself aren't making the "deadly" connections. Networking obviously isn't this guys niche.
Good luck
Hope I was helpful... sorry for the rambling it's been one heck of a long day.
Good luck
Hope I was helpful... sorry for the rambling it's been one heck of a long day.-
TheLeftCoastSux
- Just Registered
- Posts: 4
- Joined: Sat Jan 11, 2003 12:00 pm
- Location: Land of Fruits, Nuts, and Flakes
- Contact:
cool
Thanks jester22c; thats pretty much my line of thinking as well in regards to what windows is tryign to do.
I think the CS admin is paranoid because last semester somebody really really hacked into the machine from some place over seas and he refused to acknowledge that somebody did get into his machine until it was to late. THEN, you are going to LOVE this....they found mirc.exe in somebody's folder on the machine and said thats what opened it to attack, which is really sillyc cuz bailey.cs.uop.edu does not participate in any routing for traffic what so ever and we go out through the stuff in the computing center.
Hopefully the printer was the culprit and that'll be the end of it.
TheLeftCoastSux/TNG
I think the CS admin is paranoid because last semester somebody really really hacked into the machine from some place over seas and he refused to acknowledge that somebody did get into his machine until it was to late. THEN, you are going to LOVE this....they found mirc.exe in somebody's folder on the machine and said thats what opened it to attack, which is really sillyc cuz bailey.cs.uop.edu does not participate in any routing for traffic what so ever and we go out through the stuff in the computing center.
Hopefully the printer was the culprit and that'll be the end of it.
TheLeftCoastSux/TNG
Who is online
Users browsing this forum: Ahrefs [Bot] and 1 guest