WhatsUp Gold - Black Ice port scan
Product: Version: Platform:
WhatsUp Gold 3.5+ All

Question/Problem: WhatsUp Port Scan.

Answer/Solution: What is WhatsUp and what is it doing?
WhatsUp and WhatsUp Gold are network monitoring tools designed to monitor devices (PC's, servers, routers and other hardware) and services (web servers, email servers, ftp servers and other services) on your own network. One of the built-in utilities is a scan utility. The scan utility allows you to scan a group of computers (specified as a range of IP addresses) and check a range of TCP Ports. The intended function of the scan is to allow users to quickly add a series of computers to their network map. WhatsUp only checks to make sure the computer is running and that the selected services are available or responding. WhatsUp cannot login or break in to those computers or services.

Is it Malicious?
Chances are this is not malicious. Someone may have mistakenly included your computer in their scan. However, it is possible that someone is trying to determine what ports or services are answering on your computer or they are attempting to detect what computers are running a specific service. Even in this case WhatsUp is only able to determine that a particular port is accepting a TCP connection it cannot actually login to that port.

What Can I do?
If you are scanned multiple times from the same source you should contact the owner of the IP address as they ultimately have control over their users. You can also let your ISP know of the attack but they have very little control over users of another ISP.

In most cases there will be a specific email address to send abuse notifications to. If there is an abuse notification email address please use this one as the message will probably be ignored if sent to the wrong email address.

If you need to track the owner of an IP address you can perform a WhoIs search at ARIN:

http://www.arin.net/whois/index.html

If you know the domain name and want to find the appropriate abuse contact information you can use the Network Abuse Clearinghouse:

http://www.abuse.net/

This search will not directly give you contact information for the domain, but it will give you the "whois" server to contact for detailed information. You should see a line in the returned information that says "Whois Server:". If you use a browser to go to that domain they will most likely have a web based "whois" (domain lookup) search, if not you may have to use a "whois" tool to access the information in the database.

If you are using Black Ice here is an advICE article on reporting abuse:

http://www.networkice.com/advice/Support/KB/q000016/default.htm

Document #:   Revision Date:
WG-20000616-DM01   06/14/04

Return To KnowledgeBase Search Page