Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Port Scans from Outside
- Thread starter JSE73
- Start date
joeb1kenobe
MIS
If you don't know who is scanning you, I would definatly investigate the scans. Although, you may think that the server is secure, there are always new flaws/vulnerabilities that you may not know about. If you are seeing a scan a couple times a day, someone is certainly checking out your ISA server. Probably using NMAP. You may want to do a reverse lookup on the ip address in you log, and give the company a call regarding the scans. It may stop an attack before it happens.
Joe
Joe
- Thread starter
- #3
joeb1kenobe
MIS
Go to
and type in the IP address. This will give you the necessary information to find the ISP responsible.
Joe
and type in the IP address. This will give you the necessary information to find the ISP responsible.
Joe
I too have been receiving port scans from 127.0.0.1. The thing that sucks is it emails my cell phone with these alerts. I get no sleep. After many moons of trying to figure it out......I finally said screw it. Well, I skimmed the Firewall Logs again and noticed the following;
A program called AutoProxy is trying to acces the IP: 127.0.0.1 and Port:#### (these seem to be random ports, hence the alert seeing it as a scan)
Well...I found what IP they were coming from. I went to the Internal machine and found the following as well:
In the registry:
HKLM/Software/Microsoft/Windows/Current Version/RUN/lzfqndc.exe
I deleted the key....it came back immediately after a refresh.
In the System32 folder:
lzfqndc.exe and .dll
I opened the DLL file with wordpad and at the bottom of the file it mentioned Autoproxy. So I rebooted into safemode and removed the registry key and deleted the two files in System32.
I am waiting to see if that was the cause. So far I have not received an alert yet.
Sorry for the long winded story, but I had lot's of coffee today.
Regards,
John
Crystal River, FL
A program called AutoProxy is trying to acces the IP: 127.0.0.1 and Port:#### (these seem to be random ports, hence the alert seeing it as a scan)
Well...I found what IP they were coming from. I went to the Internal machine and found the following as well:
In the registry:
HKLM/Software/Microsoft/Windows/Current Version/RUN/lzfqndc.exe
I deleted the key....it came back immediately after a refresh.
In the System32 folder:
lzfqndc.exe and .dll
I opened the DLL file with wordpad and at the bottom of the file it mentioned Autoproxy. So I rebooted into safemode and removed the registry key and deleted the two files in System32.
I am waiting to see if that was the cause. So far I have not received an alert yet.
Sorry for the long winded story, but I had lot's of coffee today.
Regards,
John
Crystal River, FL
- Status
Similar threads
- Locked
- Question
- Locked
- Question