[OPLINTECH] Port Scans from Domain Controllers
Chad Neeper
CNeeper@nrg92.com
Thu, 21 Apr 2005 13:04:48 -0400
Chad,
If they are malicious scans, those are odd ports to be scanning for, even =
if it's scanning for trojans/worms. The NoBackO trojan listens on 1201 UDP =
(and 1200 UDP), but I can't find anything that listens on the other ports =
you mention. What were the originating port numbers? If they are all the =
same, it is possible that these are actually blocked _responses_ back to =
your workstation from the domain controllers. Outbound connections from =
your workstation would have been random in the 1024+ range. Does your =
firewall report flags? Late FIN packets can occasionally be blocked by =
personal firewalls.
Chad
---------------------
Chad Neeper
Senior Systems Engineer
Network Response Group
614-481-9400
-- Full LAN/WAN consulting services specialized in libraries and schools =
--
>>> chadsalamon@neo.rr.com 04/21/05 10:25AM >>>
I have Sygate firewall installed on my machine and I noticed this=20
morning that I was being port scanned from both domain controllers=20
(windows 2000) on our network. Both domain controllers initiated a =
port=20
scan almost simultaneously. They scanned UDP ports 1179, 1191, 1201, =20
and 1215. I've never seen traffic like this coming from the domain=20
controllers. Does this sound like something innocent -- or do we have a=20
problem? I will continue researching this, but any ideas or suggestions=20
would be greatly appreciated.
--=20
Chad Salamon
Library Systems Administrator
Stow-Monroe Falls Public Library
330-688-3295
csalamon@oplin.org