Detecting Intrusion Attempts by Hackers

InternetPeriscope allows you to detect Intrusion Attempts by Hackers. A Hacker may run a port scan against your machine, or may try to connect to a particular port as part of a scan of many machines. The hacker does this in order to find vulnerabilities in your machine. InternetPeriscope allows you to detect these and other Hacker activities to safeguard your machines.

To detect Hacker probes of your machines, click on the "Hosts" menu, move your mouse over the "This Host" submenu, and click on "Detect Hacker Probes (Port Scans)" as shown in the Figure below.
Hosts menu

The "Detect Hacker Probes" dialog box will appear.
Detect Hacker Probes

Click on the "Enable Port Scan Detection" checkbox to enable Port Scans.
Enable Port Scan Detection

There are two listboxes that list the TCP Ports and UDP Ports that InternetPeriscope will "watch" for hacker activity on.

TCP stands for "Transmission Control Protocol". UDP stands for "User Datagram Protocol". When a programmer writes a new Internet Service, she may use either or both of these Layer 4 protocols to implement the new service. Each Internet service is assigned a port number. A program wishing to connect to this service can connect to that port number using the correct protocol (TCP or UDP).

For example, your mail program connects to TCP Port 25 on your mail server when it wishes to send mail. Port 25 is the well-known port for SMTP (mail) servers. Your mail program connects to TCP Port 110 on your mail server when it wishes to check your mail, as port 110 is the well known port for a POP Server.

Similarly, when you "surf" the web, you are connecting to port 80 on various machines. If you went to in your web browser, your browser software would be connecting to TCP port 80 on Microsoft's web server.

There are two listboxes shown in the "Detect Hacker Probes" dialog box. One is labeled "Detect Scans on these TCP Ports". This listbox lists the TCP Ports that InternetPeriscope will "listen to" for hacker probes. The other listbox lists the UDP ports that InternetPeriscope will listen for unwanted activity on.

InternetPeriscope can only listen on Ports that your machine is not already using. For example, if the machine you are running InternetPeriscope on is running a Web Server, you will not be able to have InternetPeriscope monitor port 80 on that machine. InternetPeriscope will display an error message if you try to do this. For a list of ports that your machine is already using, see "Finding out what Internet (TCP/IP) Services your remote host is running".

Note that the default list of Ports that InternetPeriscope monitors includes a number of Hacker software programs, like "BackOrifice". It is strongly recommended that you monitor as many services as possible. See Finding out what an Internet Service does (TCP/IP Ports and Descriptions) for descriptions of the different ports that you may wish to monitor.

You can add and remove ports from the "monitored" lists by using the Add and Remove buttons on the right side of the dialog box. In the figure below, the user is adding TCP Port 80 to the list by entering the number "80" into the text box, and clicking on the "Add TCP Port" button. She knows that the only people likely to make a connection to a web server on her machine are hackers searching for vulnerable web servers.
Add and Remove Ports

In the figure below, the user is removing the tftp port from the UDP list of monitored ports. She is doing this because she is running a TFTP server on the machine that she is running InternetPeriscope on. She cannot have InternetPeriscope monitor port 69, AND run a tftp server, as the two programs will interfere with each other. When she tried to setup UDP port 69 for monitoring, InternetPeriscope displayed an error, telling her that this port was already in use. For a list of ports that your machine is already using, see Finding out what Internet (TCP/IP) Services your remote host is running". Note that if you enable Port Scan detection, a port scan of this machine will also display the ports that InternetPeriscope is monitoring.
remove tftp port

After you have enabled Port Scan Detection, click on the OK button. If you have selected any ports that are already in use by your machine, you will see an error message similar to the following:
Enabled Port Scan Detection

In this case, the user needs to go back to the "Detect Hacker Probes" dialog box, and remove UDP port 135, by clicking on Port 135 in the UDP listbox, and then clicking on the "Remove UDP Port" button.

When a hacker attempts to probe your machine, you will see a message similar to the following:
Hacker Attempt Message

See How to contact the Hacker's ISP for information on what to do when a hacker probe is detected.

InternetPeriscope also allows you to view a history of intrusion attempts.