Detecting network probes

Problem:

You want to keep an eye on who's probing your network, and what they're probing for.


Solution:

A small shell script that checks your log files for access attempts on specific ports.

Login to your Freesco box as root (via telnet).

Type:

cd /mnt/router/fix
edit probes
Now, copy the following, exactly as shown, into the editor (or download it here). If possible, copy and paste it; even a single incorrect character could prevent the script from working.


#!/bin/sh
IP=`cat /etc/live.cfg | grep IPADDR | sed 's/.*=//'`

echo "NetBIOS probes (port 139):";
cat /var/log/log* | sed "/$IP:139 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "WinGate probes (port 1080):";
cat /var/log/log* | sed "/$IP:1080 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "PCAnywhere probes (port 5631/5632):";
cat /var/log/log* | sed "/$IP:5631 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
cat /var/log/log* | sed "/$IP:5632 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "VNC probes (port 5800/5900):";
cat /var/log/log* | sed "/$IP:5800 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
cat /var/log/log* | sed "/$IP:5900 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "Proxy probes (port 8080):";
cat /var/log/log* | sed "/$IP:8080 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "NetBus probes (port 12345):";
cat /var/log/log* | sed "/$IP:12345 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "BO2K probes (port 54320):";
cat /var/log/log* | sed "/$IP:54320 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"
echo ""

echo "SubSeven probes (port 27374):";
cat /var/log/log* | sed "/$IP:27374 /!d; s///; /.*TCP /!d; s///; /:.*/!d; s///"



Some of the lines above have been wordwrapped; they must not be wrapped when you save them.

Press Alt+X to exit, and press Y to save when prompted.

Next, you need to make the script executable. Type:

chmod 755 probes
cp probes /bin
Now, any time you want to check for recent probes, just type:
/bin/probes
As-is, this script checks for NetBIOS, WinGate, PCAnywhere, VNC, Proxy, NetBus, BO2K, and SubSeven probes, but you can modify it to check for whichever ports you like.

In its output, the script displays the IP addresses of everyone who probed your network for each of the ports.

Note that Freesco only keeps logfiles that are about 50kb in size by default, so unless you're running this regularly, you probably won't catch all probes.