1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Vecna Scan ??

Discussion in 'Computer Security' started by derkit, Dec 2, 2007.

  1. derkit

    derkit Gigabyte Poster

    For the past few weeks I've been getting this:

    in the security logs of my belkin router/adsl modem where the IP 192.168.x.x is of this computer I'm typing on now.

    the port number its coming from varies on my computer and the IP it goes to is different - everything from Bloomberg domain, to yahoo.com, to who knows what!

    After trawling the internet it seems to be some sort of stealth port scanner which seems to be coming from inside my network? I've run 3 spyware and 2 antivirus programs, including free ones like AVG and they all come up clean.
    I've port scanned my computers and they are all tied down tightly.
    Does anyone have a clue with this??

    I can post more of the log if needed
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  2. onoski

    onoski Terabyte Poster


    Judging from all the above you've carried out there is nothing to worry about as long as you keep your OS patched and updated. It's normal for your computer to be scanned by other computers, usually "zombies". It's just hacker programs on compromised computers doing random scans so that they copy themselves to vulnerable computers. If your router has a firewall, you don't have to worry about it.
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  3. Theprof

    Theprof Petabyte Poster Forum Leader

    I know you did you online virus scan with AVG, but I would recommend doing the online scan with Kaspersky. Reason being is because before I was infected with a virus that my antivirus could not detect. The AV that I used at the time was AVG. I then took of avg and installed mcafee, and same thing, tried pc cillin, same thing. Then a friend recommended me doing the online kaspersky test and voila it found the virus I had, once I new the name it was easy to find a way to delete it.
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    In this case the traffic is originating from the LAN though which may be a concern.

    You say you have port scanned your PCs however the traffic seems to be originating from a PC so you need to look at traffic going in that direction. Do you have a software firewall on your PC?
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. zebulebu

    zebulebu Terabyte Poster

    Sparky is right - since the traffic originates from INSIDE your network you should be slightly more concerned than if it were just portscans bouncing off the outside interface of your firewall. I can't count the number of organisations I've worked/consulted for that wondered why their network was rinsed, trotting out the old refrain: "But our Firewall blocks everything inbound!" (not much good if you allow all your internal PCs free reign to access any old box on tEh iNteRnEtz on any port it chooses! All that said, I think its probably a false positive - 'Vecna Scan' probably refers to some P2P application running on your LAN - Soulseek or a torrent client most likely - with the router not able to cope with or understand the connections that are being made/attempted by that app. 'Vecna' was, I believe, a poster on the NMap list a few years back who devised some stealth scanning techniques that were subsequently added to NMap's scanning methodologies in a later build (though I could be wrong on that). They don't work properly on Windows systems because M$ trashed the TCP/IP stack when they implemented it for their OS.

    PM me the logfiles and I'll take a look - if you have them as syslogs that would be better than the (no doubt) shitty ones that are presented by your Router/FW. If you REALLY want to be anal, you could fire up Wireshark and leave it running overnight.
    Certifications: A few
    WIP: None - f*** 'em
  6. derkit

    derkit Gigabyte Poster

    Thanks for the thoughts so far guys - to update:
    tried Kasperspy but it stops downloading the new updates at 93% - perhaps some website trouble

    I normally don't run a software firewall, but remembering ZoneAlarm I installed the trial - and it looks by blocking services.exe from accessing the internet, stops all these errors.
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  7. derkit

    derkit Gigabyte Poster

    well, zonealarm was worth its weight in gold - not only did it stop the outflow of data - hurrah - but also helped me identify what the problem was.

    A bit of research later - xpdx.sys - some trojan. No idea where it came from, but glad it went.
    For future reference used ComboFix to solve it.
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293

Share This Page