I need some suggestions on software I can get my hands on (Freeware, demo, etc.) that will show me info about who (ip address) is hitting my PDC/Mail Server(NT4.0). We have been advised that we are being hit by middle eastern IP's but I have no way to see who they are and if in fact they are hitting one of my servers or just our public website hosted by a 3rd party. Thanks!!!!! RLee@NCDOI.net
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IP trace software/ 1
- Thread starter Rleeunc
- Start date
stonebender
IS-IT--Management
Try NeoTrace Express (free) which you can
download from:
download from:
johncurtis
Technical User
We use VisualRoute.
johnbarrow
Technical User
Neo trace is very cool, but there is more you can do as well as part of a general security option.
Checkmout Network Ice or languard. I've only used the Network ice but its very good. It will alert you to who is trying to do what, such as a ping or sniff or any other such activity. In some cases it will even pick up the MAC address of the intruder. Then rather than DHCP IP address to chase you have something hard coded. (But yes, it does cost $ sorry).
Also you need to make sure they're not bouncing off someone else as well....
Also the MS web site can also be very good, check the system to automatically check for updates and it should also fix any holes that they may be using.
An of course update your virus scanner, run a full clean, an if possible use two differnet scanners (sophos, vet, antigen and F-secure are all very good). This may help to close any hole they are using as well.
Cheers, John
Checkmout Network Ice or languard. I've only used the Network ice but its very good. It will alert you to who is trying to do what, such as a ping or sniff or any other such activity. In some cases it will even pick up the MAC address of the intruder. Then rather than DHCP IP address to chase you have something hard coded. (But yes, it does cost $ sorry).
Also you need to make sure they're not bouncing off someone else as well....
Also the MS web site can also be very good, check the system to automatically check for updates and it should also fix any holes that they may be using.
An of course update your virus scanner, run a full clean, an if possible use two differnet scanners (sophos, vet, antigen and F-secure are all very good). This may help to close any hole they are using as well.
Cheers, John
Sapient2003
Technical User
Why not use utilities that come with your computer, such as tracert and nbtstat? These tools are just as effective as those listed above and are more efficient. --Sapient2003 - sapient@sapient2003.com
"The worst insecurity is beleiving you are too secure."
"The worst insecurity is beleiving you are too secure."
- Thread starter
- #6
Sapient2003
Technical User
Rleeunc--
To check your active connection, in DOS, use the command: netstat -anp tcp . Good luck. --Sapient2003 - sapient@sapient2003.com
"The worst insecurity is beleiving you are too secure."
To check your active connection, in DOS, use the command: netstat -anp tcp . Good luck. --Sapient2003 - sapient@sapient2003.com
"The worst insecurity is beleiving you are too secure."
-
1
- #8
You may want to try looking at your logs. Unless the middle easterners are penetrating your machine and altering the audit logs, they should contain everything that you are looking for.
I have to assume that you are running Windows, based on the GUI request, so you'd want to look at the logs that IIS provides. It should include web, smtp and imap/pop logs.
Every connection that is made to your hosts should be listed in the logs, along with the IP address, the document requested (web), the addresses that were used for relaying (smtp) and the messages read (imap/pop).
pansophic
I have to assume that you are running Windows, based on the GUI request, so you'd want to look at the logs that IIS provides. It should include web, smtp and imap/pop logs.
Every connection that is made to your hosts should be listed in the logs, along with the IP address, the document requested (web), the addresses that were used for relaying (smtp) and the messages read (imap/pop).
pansophic
Ghostwalker
Technical User
does neo trace just show a general ip address,,like say your trying to trace email from someone who is unknown does it trace to there comp or does just trace to the mail server like yahoo or hotmail?
That is a function of how the email message was delivered to your machine, not the application that you use to trace the IP address.
If I find a server that will support you!target.com@company.com and company.com's mail server will accept that format (very archaic method of forced mail routing), the company.com mail server will rewrite the to: field to be you@target.com (stripping their domain) as the destination and forward it (relay) to your mail server. Your mail server will log smtp.company.com's IP address because that is who connected to it.
If they are relaying directly through your mail server, then you will have the IP address of the host that actually sent the email. Of course when I look through my logs, nearly all of the relay attempts are from dial-up ISP addresses (you can usually tell when they resolve to xxx-xxx-xxx-xxx-dhcp.isp.net. If the connection is several hours ago, it is likely that you will find a different computer using that address.
pansophic
If I find a server that will support you!target.com@company.com and company.com's mail server will accept that format (very archaic method of forced mail routing), the company.com mail server will rewrite the to: field to be you@target.com (stripping their domain) as the destination and forward it (relay) to your mail server. Your mail server will log smtp.company.com's IP address because that is who connected to it.
If they are relaying directly through your mail server, then you will have the IP address of the host that actually sent the email. Of course when I look through my logs, nearly all of the relay attempts are from dial-up ISP addresses (you can usually tell when they resolve to xxx-xxx-xxx-xxx-dhcp.isp.net. If the connection is several hours ago, it is likely that you will find a different computer using that address.
pansophic
Ghostwalker
Technical User
ok thanks for the info...are there any tracing programs that can trace to an specific computer,,or able to obtain # numbers or physical address's via the trace?
traceroute (tracert for windows) and it's many lookalike programs will trace to nearly any IP address, but that doesn't really tell you what you are looking for.
Because the ISP registers the IP address, when you do a Reverse DNS query, you generally arrive at the ISP's address. I run a server that Reverse resolves to INYC.COM in New York, but the server physically resides in Virginia.
You can, however, do a traceroute, and resolve all of the IP addresses in between and get a pretty good idea what city the address is located in.
Of course if I am devious, and I can be, I will compromise a computer elsewhere in the world and run my exploits through it. I might even do that multiple times, so that the likelihood of you getting accurate log information from 2 or 3 computers is nearly zero. Therefore, the likelihood of you actually identifying me is also nearly 0.
pansophic
Because the ISP registers the IP address, when you do a Reverse DNS query, you generally arrive at the ISP's address. I run a server that Reverse resolves to INYC.COM in New York, but the server physically resides in Virginia.
You can, however, do a traceroute, and resolve all of the IP addresses in between and get a pretty good idea what city the address is located in.
Of course if I am devious, and I can be, I will compromise a computer elsewhere in the world and run my exploits through it. I might even do that multiple times, so that the likelihood of you getting accurate log information from 2 or 3 computers is nearly zero. Therefore, the likelihood of you actually identifying me is also nearly 0.
pansophic
Ghostwalker
Technical User
ok so basically you run thru portals around the world to more or less cover your backtracks? suppose one wanted to do that whats the easiest route?
Find a exploit that you can work well and then use a scanner to find machines with that vulnerability. If you are good at it, script the scans and attacks so that your system reports the compromised servers to you.
Once you have one, you just start work from that one to find others. Eventually you can build a network of them.
pansophic
Once you have one, you just start work from that one to find others. Eventually you can build a network of them.
pansophic
Ghostwalker
Technical User
IS THERE ANY WAY TO LOOK UP INFORMATION FROM EMAIL ACCOUNTS THAT HAVE BEEN DELETED AND IF SO HOW?
- Status
Similar threads
- Locked
- Question
- Locked
- Question