"Attacking" with 14 Packets
Posted: Sat Mar 22, 2003 1:59 am
Ok, I have an interesting problem/dilema facing me, apparaently my computer (call it client1 as I don't wish to divulge my true name which is my computer name) has been hittiing bailey.cs.uop.edu with some kind of net bios scan, then 12 TCP packets on a port probe, then 14 UDP packets on a UDP port probe. This is according to the administrator of bailey.cs.uop.edu who is now regarding me as a malicous hacker (although what one can do with that few number of packets I have no idea).
So I'm trying to figure out what the frick is scanning bailey.cs.uop.edu from client1 -- Sunday night in an attempt to avoid going to the comp sci lab I was trying to get to my profile which was actually on a different server but I thought it was on bailey.* ---
so two days later I'm working at the computer center and the network guys come out of the back and show me a report from the CS administrator about me "attacking" the server......although how 14 packets is really an attack I don't know, but the CS guy is making a HUGE deal out of it.
So i've been through my computer a million and a half times and can't find any exploits or other problems, flushed the stacks and net bios registers, and dug through my netsh stack manually looking for anything that might have some clue.
So I finally stumbled upon my printers, we used to have a printer attached to bailey.cs.uop.edu, but now it is attached to another system, my computer, client1, only h as network printers mapped on it (of which I have since deleted the bailey printer).
I'm hoping that this might have been why these netbios, TCP and UDP port scans with a few packets might be occurring and only once every few hours. So i'm guessing that my computer, when trying to see what printers it has available to it, was trying to look for a printer on bailey via netbios, then would look for it on a TCP and UDP port. Does this make sense that it would do this?
Its W2k with a 3com NIC, and everything is running over our NAT"d LAN at here at UOP so everything is by 10.10.* addressing which is why they traced it to me so easily. I'm trying to get to the bottom of this and looking for directions.
The CS admin is out until Tuesday or so so I won't know if this was the problem, but till I can find out for sure when he gets the firewall logs, i'm just looking for other ideas.
From granola land:
TheLeftCoastSux
So I'm trying to figure out what the frick is scanning bailey.cs.uop.edu from client1 -- Sunday night in an attempt to avoid going to the comp sci lab I was trying to get to my profile which was actually on a different server but I thought it was on bailey.* ---
so two days later I'm working at the computer center and the network guys come out of the back and show me a report from the CS administrator about me "attacking" the server......although how 14 packets is really an attack I don't know, but the CS guy is making a HUGE deal out of it.
So i've been through my computer a million and a half times and can't find any exploits or other problems, flushed the stacks and net bios registers, and dug through my netsh stack manually looking for anything that might have some clue.
So I finally stumbled upon my printers, we used to have a printer attached to bailey.cs.uop.edu, but now it is attached to another system, my computer, client1, only h as network printers mapped on it (of which I have since deleted the bailey printer).
I'm hoping that this might have been why these netbios, TCP and UDP port scans with a few packets might be occurring and only once every few hours. So i'm guessing that my computer, when trying to see what printers it has available to it, was trying to look for a printer on bailey via netbios, then would look for it on a TCP and UDP port. Does this make sense that it would do this?
Its W2k with a 3com NIC, and everything is running over our NAT"d LAN at here at UOP so everything is by 10.10.* addressing which is why they traced it to me so easily. I'm trying to get to the bottom of this and looking for directions.
The CS admin is out until Tuesday or so so I won't know if this was the problem, but till I can find out for sure when he gets the firewall logs, i'm just looking for other ideas.
From granola land:
TheLeftCoastSux