[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] TCP_Port_Scan signature



Every day I find a number of TCP_Port_Scan signature from host A to host B
triggered. The number of events is about 400-500 per day. Events appear
almost right ones in five minutes:
2004-07-29 04:25:50 MSD
2004-07-29 04:30:53 MSD
2004-07-29 04:35:56 MSD
2004-07-29 04:40:58 MSD
2004-07-29 04:46:01 MSD
2004-07-29 04:51:03 MSD
2004-07-29 04:56:06 MSD
2004-07-29 05:01:39 MSD
2004-07-29 05:06:41 MSD
2004-07-29 05:11:44 MSD
2004-07-29 05:16:47 MSD
2004-07-29 05:21:49 MSD
2004-07-29 05:26:52 MSD
2004-07-29 05:32:25 MSD
2004-07-29 05:37:27 MSD
... etc ...

The ports that are scanned:
135|4650-4653|4663-4665
135|4673-4676|4686-4688
135|4696-4697|4704|4713|4721|4724-4725
135|4736|4739|4742-4743|4748|4754-4755
135|4760-4761|4764-4766|4776|4780
135|4787-4788|4795-4796|4799|4811|4814
135|4820~4825|4835~4837
135|4842-4845|4855~4858
135|4875-4878|4883|4889-4890
135|4896-4899|4904|4914|4917
135|4921|4924|4929-4931|4941-4942
135|1029|1032|4953~4957|4992
135|1036-1040|1052|1055
135|1064-1067|1075|1085-1086
... etc ... - 135 (MSRPC) at first and then - above 1024.

It seems to be MSRPC work, but I do not know that could generate such
activity.
If someone knows what it is, please let me know.

Additional info: attacker - simple Windows XP pro workstation (IBM think
pad T40 laptop), victim - NT domain controller and print server.

Thanks to all.
---
Best regards, Sergey V. Soldatov.
tel/fax +7 095 745 89 50 (2663)


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.