Re: Malicious port scanning or standard Active Directory/Exchange Server behavior

From: Joergen Bech (jbech_at_post1.tele.dk)
Date: 11/26/04


Date: Fri, 26 Nov 2004 16:13:30 +0100


Um ... ok. But why then would it be one port for several hours,
then another one for half a day, etc. rather than seeing them
mixed more randomly?

And shouldn't the source port(s) stay the same, rather than
going through the 30000-65000 range?

The machine in question is an MS Exchange Server, serving
clients in several countries.

TIA,

Joergen Bech

On Fri, 26 Nov 2004 15:37:37 +0100, Florian Roth
<Florian.Roth@email.de> wrote:

>
>right - it quite seems "normal".
>
>to Port 1084 i found this software, which uses it
>http://www.anasoft.co.uk/
>
>to Port 1109 i found that it is used by Kerberos IV POP3
>http://www.mail-archive.com/c-client@u.washington.edu/msg01306.html
>http://www.pac-its.psu.edu/windows/email/kpop.htm
>
>Nothing to fear ;-)
>
>
>
>
>
>Joergen Bech schrieb:
>> From my Windows XP SP2 personal firewall log (source and destination
>> addresses
>> replaced with sss and ddd in this post).
>>
>> This activity is taking place from within a corporate firewall, though
>> the
>> source machine is not under my control so I am not in any position to
>> check
>> it for security patches or vira.
>>
>> I have reported the problem, but was told that this is normal
>> AD/DNS/Exchange Server activity and nothing to be concerned about.
>>
>> We have been having some problems with "sdbot" worm attacks recently,
>> so I am trying to get a second opinion. This is the only machine
>> generating
>> this kind of activity.
>>
>> The source port is usually anything from 30000 to 65000. Destination
>> port can be 1065, 1071, 1084, 1109, etc.
>>
>> Anyone here who recognizes this traffic pattern and perhaps can direct
>> me to some resources where I can learn more about this?
>>
>> TIA,
>>
>> Joergen Bech
>>
>> ---snip---
>> 2004-11-25 13:25:48 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 43207
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:26:49 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 43388
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:27:50 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 43568
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:28:51 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 43773
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:29:52 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 43976
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:30:53 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 44290
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:31:54 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 44552
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:32:55 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 44764
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:33:56 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 44954
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:34:57 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 45170
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:35:58 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 45406
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:36:59 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 45558
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:38:00 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 45741
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:39:01 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 45886
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:40:02 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 46021
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:41:03 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 46201
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:42:04 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 46380
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:43:05 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 46546
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 13:44:06 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 46720
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 14:00:14 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 49863
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 14:00:22 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 49909
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-25 15:54:42 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 5537
>> 1084 36 - - - - - - - RECEIVE
>> 2004-11-26 10:37:20 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 15745
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 10:37:39 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 15803
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 12:01:32 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 32419
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 12:38:08 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 40566
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 12:52:05 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 42825
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 12:52:52 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 42925
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 13:56:39 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 53548
>> 1109 36 - - - - - - - RECEIVE
>> 2004-11-26 14:05:37 DROP UDP <sss.sss.sss.sss> <ddd.ddd.ddd.ddd> 54933
>> 1109 36 - - - - - - - RECEIVE
>>
>>



Relevant Pages

  • Re: rst-scan for portmap?
    ... >>Just the solitary RST packet, to both boxes, from the same source machine & ... >>port#, to my port 111. ... >>Combining port-scanning and OS fingerprinting, ...
    (comp.os.linux.security)
  • rst-scan for portmap?
    ... Just the solitary RST packet, to both boxes, from the same source machine & ... port#, to my port 111. ...
    (comp.os.linux.security)
  • Re: Malicious port scanning or standard Active Directory/Exchange Server behavior
    ... to Port 1109 i found that it is used by Kerberos IV POP3 ... > source machine is not under my control so I am not in any position to ... > it for security patches or vira. ...
    (comp.security.firewalls)
  • Re: Problem about ports command
    ... TIA ... I think it would be best if you picked one goal (e.g. to install ... a single specific port) and tried that, then if you encounter ...
    (freebsd-questions)
  • iMac G3 Five Colors and USB 2.0
    ... Does one of You know a way to enable an iMac G3 Five Colors to ... use an USB 2.0 port with full speed? ... TIA and kind regards, Friedrich ...
    (comp.sys.mac.system)