Every day I find a number of TCP_Port_Scan signature from host A to host B triggered. The number of events is about 400-500 per day. Events appear almost right ones in five minutes: 2004-07-29 04:25:50 MSD 2004-07-29 04:30:53 MSD 2004-07-29 04:35:56 MSD 2004-07-29 04:40:58 MSD 2004-07-29 04:46:01 MSD 2004-07-29 04:51:03 MSD 2004-07-29 04:56:06 MSD 2004-07-29 05:01:39 MSD 2004-07-29 05:06:41 MSD 2004-07-29 05:11:44 MSD 2004-07-29 05:16:47 MSD 2004-07-29 05:21:49 MSD 2004-07-29 05:26:52 MSD 2004-07-29 05:32:25 MSD 2004-07-29 05:37:27 MSD ... etc ...
The ports that are scanned: 135|4650-4653|4663-4665 135|4673-4676|4686-4688 135|4696-4697|4704|4713|4721|4724-4725 135|4736|4739|4742-4743|4748|4754-4755 135|4760-4761|4764-4766|4776|4780 135|4787-4788|4795-4796|4799|4811|4814 135|4820~4825|4835~4837 135|4842-4845|4855~4858 135|4875-4878|4883|4889-4890 135|4896-4899|4904|4914|4917 135|4921|4924|4929-4931|4941-4942 135|1029|1032|4953~4957|4992 135|1036-1040|1052|1055 135|1064-1067|1075|1085-1086 ... etc ... - 135 (MSRPC) at first and then - above 1024. It seems to be MSRPC work, but I do not know that could generate such activity. If someone knows what it is, please let me know. Additional info: attacker - simple Windows XP pro workstation (IBM think pad T40 laptop), victim - NT domain controller and print server. Thanks to all. --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
