Ok, here is a question for everyone:
I am on cable Internet and getting flooded by tcp/ip port scans, which are being logged by Zonealarm.

How can I check the originating ip? If it is a valid ip scan, fine, but I'd like to be able to identify the ones that are not valid, and maybe scan 'em back or something!

you can run tracert on the ip address or just download neotrace to trace where the packets are coming from

fyi, if you're on @home its probably because of something with their network and sircam or codered or whatever thats causing it to ping everyone. It's been happening to mine to and the ip's are from similar ip's as mine so it'll get cleared up eventually.

UPDATE:
Scans still going strong: over 500 yesterday, and same so far today! The log fills up at 500, so it could be 1000's!

I actually took the time to check 100 of the ips I was scanned from and found sites on about 15%.

It does look like virus propagation: some of the websites came up as the default pages for IIS and PWS (the ones that stay until you publish a real site!), others came up as simple little sites with no links, and the best were the Syrian Education Network (!!!!!!!!!)
and one that might not be a virus: FastI.net email list.

I wonder if that one is looking for open smtp relays for spam?

My firewall has been getting hit with these constantly. I use Norton personal Firewall and ive logged about 800scans from different ip's for the past few days. Usually more and more scans seem to appear whenever i go on mIRC. This morning the scans stopped. I also get about 20-50 Subseven attacks per day, sometimes 100+ every few minutes. By the way I also use @home!

from what i hear @homes ip addressing scheme is redaly avalibly and most virus writers program their viri to scan for open ports on @home users machines they are high andwith and usualy left on all the time so they are perfect targets for dos zombies

go to arin.net to check the origen of the ip address...we get port scans from lots of places....usually ISP's

its that Code Red virus
its also doing it to me

I forgot about that...thats all it is...it ain't no thang...well unless you are hosting web stuff and running nt or 2k :)

Originally posted by Frost Byte
I forgot about that...thats all it is...it ain't no thang...well unless you are hosting web stuff and running nt or 2k :)

Running 2K on my webserver (IIS) and nt 4.0 on the other pc!
But all patches are in and they look clean.

I was getting around 1500 scans a day most of last week; down to around 1000 now- maybe its getting cleaned out?

I don't claim to be a pc supergenius, but I wish people would take just a bit of time to check up on stuff like this and see if their machines are vulnerable!

A bunch of the ip's I checked look like they belong to home users or small businesses that don't use IIS but let it install during the os installation!

Another thing that most new 2000 users may not realize is that a web server is installed by "default" even on a workstation. This only used to be true if installing server. both professional and server are equally at risk. Service pack 2 for windows should be installed via windows update and http://www.microsoft.com/security has the latest on code red and IIS updates.