[OPLINTECH] Port Scans from Domain Controllers
Chad Salamon
csalamon@oplin.org
Thu, 21 Apr 2005 13:55:30 -0400
This is a multi-part message in MIME format.
--------------060206000609080509010105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Some updates. One suspicious entry in the perimeter firewall --
Apr 21 10:52:32 156.63.130.100 66.213.124.203
UDP : 1105 ACCEPT
That IP is a State of Ohio IP, and I don't know what could possibly run
on udp 1105. I have no idea if this is related. Also, is there a reason
why I can't stop the Terminal Services service. All buttons were grayed
out on the service, and it was started. I was able to disable it, but
that won't actually take affect until after a restart. It just looked
suspicious.
Chad Salamon
Library Systems Administrator
Stow-Monroe Falls Public Library
330-688-3295
csalamon@oplin.org
Chad Salamon wrote:
> I have Sygate firewall installed on my machine and I noticed this
> morning that I was being port scanned from both domain controllers
> (windows 2000) on our network. Both domain controllers initiated a
> port scan almost simultaneously. They scanned UDP ports 1179, 1191,
> 1201, and 1215. I've never seen traffic like this coming from the
> domain controllers. Does this sound like something innocent -- or do
> we have a problem? I will continue researching this, but any ideas or
> suggestions would be greatly appreciated.
> --
> Chad Salamon
> Library Systems Administrator
> Stow-Monroe Falls Public Library
> 330-688-3295
> csalamon@oplin.org
--------------060206000609080509010105
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Some updates. One suspicious entry in the perimeter firewall -- <br>
Apr 21 10:52:32 156.63.130.100 66.213.124.203
UDP : 1105 ACCEPT <br>
That IP is a State of Ohio IP, and I don't know what could possibly run
on udp 1105. I have no idea if this is related. Also, is there a reason
why I can't stop the Terminal Services service. All buttons were grayed
out on the service, and it was started. I was able to disable it, but
that won't actually take affect until after a restart. It just looked
suspicious.<br>
<div class="moz-signature">
<meta content="text/html;" http-equiv="Content-Type">
Chad Salamon
<br>
Library Systems Administrator
<br>
Stow-Monroe Falls Public Library
<br>
330-688-3295
<br>
<a class="moz-txt-link-abbreviated" href="mailto:csalamon@oplin.org">csalamon@oplin.org</a>
<br>
</div>
<br>
<br>
Chad Salamon wrote:
<blockquote cite="mid4267B7C3.8050109@neo.rr.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
I have Sygate firewall installed on my machine and I noticed this
morning that I was being port scanned from both domain controllers
(windows 2000) on our network. Both domain controllers initiated a
port scan almost simultaneously. They scanned UDP ports 1179, 1191,
1201, and 1215. I've never seen traffic like this coming from the
domain controllers. Does this sound like something innocent -- or do we
have a problem? I will continue researching this, but any ideas or
suggestions would be greatly appreciated.<br>
<div class="moz-signature">-- <br>
<meta content="text/html;" http-equiv="Content-Type">
Chad Salamon
<br>
Library Systems Administrator
<br>
Stow-Monroe Falls Public Library
<br>
330-688-3295
<br>
<a class="moz-txt-link-abbreviated" href="mailto:csalamon@oplin.org">csalamon@oplin.org</a>
<br>
</div>
</blockquote>
</body>
</html>
--------------060206000609080509010105--