Malicious port scanning or standard Active Directory/Exchange Server behavior

From my Windows XP SP2 personal firewall log (source and destination addresses replaced with sss and ddd in this post).

This activity is taking place from within a corporate firewall, though the source machine is not under my control so I am not in any position to check it for security patches or vira.

I have reported the problem, but was told that this is normal AD/DNS/Exchange Server activity and nothing to be concerned about.

We have been having some problems with "sdbot" worm attacks recently, so I am trying to get a second opinion. This is the only machine generating this kind of activity.

The source port is usually anything from 30000 to 65000. Destination port can be 1065, 1071, 1084, 1109, etc.

Anyone here who recognizes this traffic pattern and perhaps can direct me to some resources where I can learn more about this?

TIA,

Joergen Bech

---snip---

2004-11-25 13:25:48 DROP UDP 43207 1084 36 - - - - - - - RECEIVE 2004-11-25 13:26:49 DROP UDP 43388 1084 36 - - - - - - - RECEIVE 2004-11-25 13:27:50 DROP UDP 43568 1084 36 - - - - - - - RECEIVE 2004-11-25 13:28:51 DROP UDP 43773 1084 36 - - - - - - - RECEIVE 2004-11-25 13:29:52 DROP UDP 43976 1084 36 - - - - - - - RECEIVE 2004-11-25 13:30:53 DROP UDP 44290 1084 36 - - - - - - - RECEIVE 2004-11-25 13:31:54 DROP UDP 44552 1084 36 - - - - - - - RECEIVE 2004-11-25 13:32:55 DROP UDP 44764 1084 36 - - - - - - - RECEIVE 2004-11-25 13:33:56 DROP UDP 44954 1084 36 - - - - - - - RECEIVE 2004-11-25 13:34:57 DROP UDP 45170 1084 36 - - - - - - - RECEIVE 2004-11-25 13:35:58 DROP UDP 45406 1084 36 - - - - - - - RECEIVE 2004-11-25 13:36:59 DROP UDP 45558 1084 36 - - - - - - - RECEIVE 2004-11-25 13:38:00 DROP UDP 45741 1084 36 - - - - - - - RECEIVE 2004-11-25 13:39:01 DROP UDP 45886 1084 36 - - - - - - - RECEIVE 2004-11-25 13:40:02 DROP UDP 46021 1084 36 - - - - - - - RECEIVE 2004-11-25 13:41:03 DROP UDP 46201 1084 36 - - - - - - - RECEIVE 2004-11-25 13:42:04 DROP UDP 46380 1084 36 - - - - - - - RECEIVE 2004-11-25 13:43:05 DROP UDP 46546 1084 36 - - - - - - - RECEIVE 2004-11-25 13:44:06 DROP UDP 46720 1084 36 - - - - - - - RECEIVE 2004-11-25 14:00:14 DROP UDP 49863 1084 36 - - - - - - - RECEIVE 2004-11-25 14:00:22 DROP UDP 49909 1084 36 - - - - - - - RECEIVE 2004-11-25 15:54:42 DROP UDP 5537 1084 36 - - - - - - - RECEIVE 2004-11-26 10:37:20 DROP UDP 15745 1109 36 - - - - - - - RECEIVE 2004-11-26 10:37:39 DROP UDP 15803 1109 36 - - - - - - - RECEIVE 2004-11-26 12:01:32 DROP UDP 32419 1109 36 - - - - - - - RECEIVE 2004-11-26 12:38:08 DROP UDP 40566 1109 36 - - - - - - - RECEIVE 2004-11-26 12:52:05 DROP UDP 42825 1109 36 - - - - - - - RECEIVE 2004-11-26 12:52:52 DROP UDP 42925 1109 36 - - - - - - - RECEIVE 2004-11-26 13:56:39 DROP UDP 53548 1109 36 - - - - - - - RECEIVE 2004-11-26 14:05:37 DROP UDP 54933 1109 36 - - - - - - - RECEIVE

right - it quite seems "normal".

to Port 1084 i found this software, which uses it

to Port 1109 i found that it is used by Kerberos IV POP3 snipped-for-privacy@u.washington.edu/msg01306.html Nothing to fear ;-)

Joergen Bech schrieb:

Sorry, my mistake - to much left over turkey for breakfast.

Um ... ok. But why then would it be one port for several hours, then another one for half a day, etc. rather than seeing them mixed more randomly?

And shouldn't the source port(s) stay the same, rather than going through the 30000-65000 range?

The machine in question is an MS Exchange Server, serving clients in several countries.

TIA,

Joergen Bech

36 is the size of the packet. Not a port.

The XP firewall fields are defined at the top:

---snip--- #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

---snip---

and a line from the log:

2004-11-26 16:06:25 DROP UDP sss.sss.sss.sss ddd.ddd.dd.ddd 11406 1109 36 - - - - - - - RECEIVE

So: src-port = 11406 dst-port = 1109 size = 36

Regards,

Joergen Bech