Yes, these are ports that are used for Microsoft Remote Procedure Call (135, 1025) and SQL Server (1433). It's possible you have a few worms on your network (I assume this is all internal traffic from the phrase "in the middle of our intranet"). See also "SQL Slammer", "Nachi", and "MSBlast".
--Ashton Turpin -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Stala Sent: Friday, December 10, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: [SPAM] [FW-1] Suspicious traffic in logs We have a global network, we have placed a firewall right in the middle or our intranet to help log and stop virus's and network scans, I have ran across some really interesting scans going on. They are hitting three ports 135, 1025, 1433. I see these three ports hit an IP address then a new random ports is selected, the rate at what they are scanning is the interesting part. It is hitting a port at about every 20 seconds or so. so they do not show up in the logs very well. The only reason I found them is I have been going over our anti spoofing addresses, since we have 10 addresses on both sides and there is no straight addressing it is all over the place I have to stay on top of it. out of the last 3 days I have seen no repeated IP addresses. and it is coming from 6 different subnets. This is just a heads up for everyone out there ********************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please re-send this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
