Hi all, we run a webserver here that has over 1000 webhosts. we have about 30 users with telnet access and all of our customers have cgi access.
now, we have received a report of someone using our webserver to port scan another machine starting on port 4000 and decreasing one port at a time.. how on earth could i start to look for something like this? it could have been done through the web or through a users telnet session, and been done with a file named anything... anyone have any ideas how to chase something like this down? Regards, Marc-Adrian Napoli Connect Infobahn Australia +61 2 92811750
