Re: Repeated logon attempts from different ports of same IP

From: Mark D. Meyer (MarkDMeyer_at_discussions.microsoft.com)
Date: 03/31/05 

Date: Thu, 31 Mar 2005 09:43:04 -0800

Believe me, if you will tell me exactly what you want / need to know, I will
get it for you.

Let me see if I can make this as clear as possible.

I have the latest engine and DAT for McAfee VirusScan 8.0i, as well as for
Desktop Firewall, Windows XP Pro, AdAware, and SpyBot. I have no drives
mapped or printers. These two systems are only within the same subnet. On the
Windows XP Pro box, the system will ( every 1/2 second ) try to log on to the
NtLmSss on the Windows 3003 Server. It shows up in the Security Event Log on
the server as .....

Event 538 Logon/Logoff
680 Account Logon
576 Priviledge Use
540 Logon/Logoff

Each time the 540 event is from the same PC, same IP, but different port. It
also moves up ports by 3 at a time. ie...2546, 2549, 2552 and so on.

In TCPView on the workstatioin, it will show the latest as listening and the
four to five instances as waiting.

If there is any other info that you think will help, by all means let me
know and thank you for your assistance so far....

Mark

"Dave" wrote:

> unfortunately you are only providing bits and pieces of information, not
> enough for anyone to really be able to figure out what your problem may be.
> we can't read your mind, only what you type into a message. if you want
> some specific answers try replying with some specifics to the last two sets
> of specific questions rather than just throwing in another disjointed piece
> of the puzzle.
>
> "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in message
> news:86446BEE-EEAA-4AC8-ACA7-511AE12D3EF0@microsoft.com...
> > Something else I noticed today when I was using TCPView. It is always
> ending
> > with a epmap. Not one, but 5 ususally...The ports just keep waiting...over
> > and over and over....
> >
> > "Dave" wrote:
> >
> > > what is showing you this activity? how do you know its trying to
> 'logon'?
> > > have you put a sniffer on the net to see what the traffic really is?
> you
> > > know the ip its coming from, what is that machine? what does netstat on
> > > that machine show it is doing?
> > >
> > > "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in message
> > > news:B20C64FD-94F0-4BCB-B61D-A1D0DB3B165A@microsoft.com...
> > > > No it is not a domain environment, just a stand alone server.
> > > > It is always from the same ip trying to logon to the server at a
> different
> > > > port each time. ie....2546,2459,2462,2465 and so on. It will do it
> > > thousands
> > > > of times a day.
> > > > It appears to be the workstation.
> > > >
> > > > Thanks so far....:-)
> > > >
> > > > Mark
> > > >
> > > > "Roger Abell" wrote:
> > > >
> > > > > Backup here . . .
> > > > > You have a domain environment?
> > > > > The source port varies, but what is the target port?
> > > > > Is it the workstation, or some account when used on that workstation
> > > > > that is attempting login to the server? If it is a domain account,
> have
> > > > > you examined it, its login script, its startup items?
> > > > >
> > > > > --
> > > > > Roger
> > > > > "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in
> message
> > > > > news:E7F49CAD-F115-4DC0-8DB7-D45743C8757A@microsoft.com...
> > > > > > Help !
> > > > > >
> > > > > > I have one workstation that is attempting to logon over and over
> at
> > > > > > different ports. It will try 2536, then .20 seconds later, 2539
> and so
> > > on.
> > > > > I
> > > > > > have reloaded the XP Pro workstation from scratch and it
> reappeared
> > > > > > immediately. This will go on for thousands of times a day.
> > > > > >
> > > > > > I am running McAfee VirusScan Enterprise 8.0i, McAfee Desktop
> > > Firewall,
> > > > > > SpyBot Search & Destroy, and Ad Aware. None of them can detect
> > > anything. I
> > > > > > have my MS Windows 2003 Server locked down pretty tight, but
> really
> > > need
> > > > > to
> > > > > > know what it testing my security over and over. I checked with my
> ISP
> > > and
> > > > > > nothing out of the ordinary is going out over the internet either.
> > > > > >
> > > > > > Any help will be very appreciated. Sleep will come next.....
> > > > > >
> > > > > > Thanks...
> > > > > >
> > > > > > Mark
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: Mapi Sessions
    ... TCPView for Windows v2.53 ... I am using Exchange 2007 on a Windows 2008 server. ... But I don't know how to see the users Mapi sessions. ...
    (microsoft.public.exchange.admin)
  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)
  • Questions Relating to Administering Windows 2000 Server
    ... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
    (microsoft.public.cert.exam.mcse)
  • pqv¼Ò¹ÚÇÑ ²Þ@mBGRx
    ... O-009¹Ù¢Ã MS Windows 2000 Datacenter Server -2¸¸¿ø ... Main Application (Borland C++ Builder 6 Enterprise Edition) ... Y-166¢Ã Sex Starved Sluts 1 (Divx) ...
    (FreeBSD-Security)