Tools for tracing IP
plug-discuss@lists.plug.phoenix.az.us
plug-discuss@lists.plug.phoenix.az.us
Thu, 11 Apr 2002 20:22:34 -0400
On my Win98 box here at work I recently installed ZoneAlarm so I could catch any "funny" apps going out to the internet without me knowing. Today ZoneAlarm has been yelling every couple of hours about attempted NetBIOS connections from an IP outside our company NAT firewall. This puzzles me greatly. Ping and traceroute from the Win98 box to the IP come back without a domain name and with "Destination host unreachable" errors.
I assume my PC has been "zombified" and the "master" is outside trying to get in. I don't know how it is doing this through the NAT. I have not seen any unknown programs trying to get out through ZoneAlarm.
Not being experienced in tracking these things, I don't know what else I can learn about this when all I have is the IP address. What tools or resources are available in Linux to find out where this port scan is coming from and what on my computer would want to answer?
Details------------
Summary:
Source IP: 169.254.101.152
Source ports: 4335, 4615, 4618, 4621, 4995, 4998, 3626, 3632
My IP (behind firewall/NAT):192.168.200.xxx
My port: 139
ZoneAlarm Log text:
type,date,time,source,destination,transport
FWIN,2002/04/11,10:12:00 -7:00 GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)