[OPLINTECH] Port Scans from Domain Controllers

Mann, James H. JMann at gcpl.lib.oh.us
Thu Apr 21 15:36:46 EDT 2005 

Chad
It is possible that you have a Trojan or worm that is port scanning.
1215 is pretty widely used. This may help:
http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
 
You should also ask the help desk to put a monitor on your system.
 
Jim Mann
Technology Coordinator
Greene County Public Library
Xenia Ohio 45385
(937) 376-2996 x210
mailto: jmann at gcpl.lib.oh.us
  _____  

From: oplintech-admin at oplin.org [mailto:oplintech-admin at oplin.org] On
Behalf Of Chad Salamon
Sent: Thursday, April 21, 2005 1:56 PM
Cc: oplintech at oplin.org
Subject: Re: [OPLINTECH] Port Scans from Domain Controllers
 
Some updates. One suspicious entry in the perimeter firewall --  
Apr 21 10:52:32         156.63.130.100         66.213.124.203
UDP : 1105         ACCEPT  
That IP is a State of Ohio IP, and I don't know what could possibly run
on udp 1105. I have no idea if this is related. Also, is there a reason
why I can't stop the Terminal Services service. All buttons were grayed
out on the service, and it was started. I was able to disable it, but
that won't actually take affect until after a restart. It just looked
suspicious.
Chad Salamon 
Library Systems Administrator 
Stow-Monroe Falls Public Library 
330-688-3295 
csalamon at oplin.org 


Chad Salamon wrote: 
I have Sygate firewall installed on my machine and I noticed this
morning that I was being port scanned from both domain controllers
(windows 2000) on our network.  Both domain controllers initiated a port
scan almost simultaneously. They scanned UDP ports 1179, 1191, 1201,
and 1215. I've never seen traffic like this coming from the domain
controllers. Does this sound like something innocent -- or do we have a
problem? I will continue researching this, but any ideas or suggestions
would be greatly appreciated.
-- 
Chad Salamon 
Library Systems Administrator 
Stow-Monroe Falls Public Library 
330-688-3295 
csalamon at oplin.org 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20050421/58df9585/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mann, James H..vcf
Type: text/x-vcard
Size: 237 bytes
Desc: Mann, James H..vcf
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20050421/58df9585/attachment.vcf>

More information about the OPLINTECH mailing list