[OPLINTECH] Port Scans from Domain Controllers

Chad Salamon csalamon at oplin.org
Wed Apr 27 14:18:55 EDT 2005 

I couldn't find the source for the previous scans, because that log 
fills up and overwrites so quickly. I did see some new scans just a few 
minutes ago. The source appears to be udp port 389 -- which from my 
research is associated with ldap. I've attached an excel doc with the 
firewall logs for that period. I'm rebuilding the servers anyway, just 
as a precaution (they needed it anyway), but I just still want to know 
what exactly happened. Thanks
Chad Salamon
Library Systems Administrator
Stow-Monroe Falls Public Library
330-688-3295
csalamon at oplin.org


Chad Neeper wrote:

>Chad,
>
>If they are malicious scans, those are odd ports to be scanning for, even if it's scanning for trojans/worms. The NoBackO trojan listens on 1201 UDP (and 1200 UDP), but I can't find anything that listens on the other ports you mention.  What were the originating port numbers? If they are all the same, it is possible that these are actually blocked _responses_ back to your workstation from the domain controllers. Outbound connections from your workstation would have been random in the 1024+ range. Does your firewall report flags? Late FIN packets can occasionally be blocked by personal firewalls.
>
>Chad
>
>
>
>
>
>---------------------
>Chad Neeper
>Senior Systems Engineer
>Network Response Group
>614-481-9400
>
>--  Full LAN/WAN consulting services specialized in libraries and schools  --
>
>
>  
>
>>>>chadsalamon at neo.rr.com 04/21/05 10:25AM >>>
>>>>        
>>>>
>I have Sygate firewall installed on my machine and I noticed this 
>morning that I was being port scanned from both domain controllers 
>(windows 2000) on our network.  Both domain controllers initiated a port 
>scan almost simultaneously. They scanned UDP ports 1179, 1191, 1201,  
>and 1215. I've never seen traffic like this coming from the domain 
>controllers. Does this sound like something innocent -- or do we have a 
>problem? I will continue researching this, but any ideas or suggestions 
>would be greatly appreciated.
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20050427/ffdf3495/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sygatelog.xls
Type: application/vnd.ms-excel
Size: 22016 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20050427/ffdf3495/attachment.xls>

More information about the OPLINTECH mailing list