• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

127.0.0.1 well-known port scan attack

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> 127.0.0.1 well-known port scan attack Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
127.0.0.1 well-known port scan attack - 23.Sep.2003 12:14:00 AM   
anadigi

 

Posts: 9
Joined: 23.Sep.2003
Status: offline
I have above problem recently, Anyone konws what is going on and how to fix it.
Post #: 1
RE: 127.0.0.1 well-known port scan attack - 23.Sep.2003 4:57:00 AM   
jmlohren

 

Posts: 80
Joined: 7.Sep.2001
From: Spokane, WA USA
Status: offline
Scan your network and check your ISA logs. Sounds like a worm...probably the welchia worm.

Jason

(in reply to anadigi)
Post #: 2
RE: 127.0.0.1 well-known port scan attack - 23.Sep.2003 9:11:00 AM   
cko

 

Posts: 52
Joined: 4.Aug.2003
Status: offline
hey, i have got the same problem. but this started just after i reinstalled isaserver.

but if it would be a worm from internal network, it wouldnt display 127.0.0.1, or why should it so?

following i can find in my isalogs:

22.09.2003 07:06:13 127.0.0.1 82.2.210.50 Tcp 80 1970 Spoof 82.2.210.50

82.2.210.50 is one of the static ip's i have got from the isp. (changed for security reasons)

[ September 23, 2003, 09:29 AM: Message edited by: cko ]

(in reply to anadigi)
Post #: 3
RE: 127.0.0.1 well-known port scan attack - 23.Sep.2003 3:38:00 PM   
jmlohren

 

Posts: 80
Joined: 7.Sep.2001
From: Spokane, WA USA
Status: offline
I know it doesn't sound possible, but check your ISA logs for PC's (primarily w2k or winxp) that are flooding your ISA Server with requests on specific ports. Also..your ISA Server itself could get infected by this worm.
Get the removal tool from Symantec if nothing else (very small file) and run it on the server and pc's.
MS has a patch out to fix the hole as well.

Jason

(in reply to anadigi)
Post #: 4
RE: 127.0.0.1 well-known port scan attack - 23.Sep.2003 8:59:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
I posted this on here twice! I have this problem for about three weeks now. I've run a sniffer and the only thing I can find is that my router mac address shows up..I'm new to ISA and I'm having a hard time fixing this..It seems alot of people have started getting this but no one has any real advice. None of our pcs have any worms..Please someone help! I get at least 2 of these a day at random times, no pattern and no repeating times (even late at night when no one's even at work).
ISA Server detected a well-known port scan attack from Internet Protocol (IP) address 127.0.0.1. A well-known port is any port in the range of 1-2048. For more information about this event, see ISA Server Help.

HELP!

(in reply to anadigi)
Post #: 5
RE: 127.0.0.1 well-known port scan attack - 23.Sep.2003 9:07:00 PM   
tarasbredel

 

Posts: 175
Joined: 9.Apr.2003
From: Denmark
Status: offline
Hi

This has gotten to be a "common" issue...

Check out...

My post:
- http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010566
(Bottom of the page)

Other post:
- http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=3;t=003448
- http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010590
Especially this one....
- http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010554

Br,

Taras Bredel

[ September 23, 2003, 09:11 PM: Message edited by: tarasbredel ]

(in reply to anadigi)
Post #: 6
RE: 127.0.0.1 well-known port scan attack - 24.Sep.2003 3:25:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
Yes I does seem to be occurring alot..Funny that it just started a few weeks ago, I'm glad I'm not the only one, but this is getting old quick. I get paged several times a day & night regarding 'spoof attack'. We ran the Ethereal sniffer and it seems to not shine any light on the situation. Has any been able to fix this yet??????? Can you share your secret???

Thanks so much!

(in reply to anadigi)
Post #: 7
RE: 127.0.0.1 well-known port scan attack - 24.Sep.2003 3:43:00 PM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
i get this whenever my remote pop3 clients connect to send/receive mail

(in reply to anadigi)
Post #: 8
RE: 127.0.0.1 well-known port scan attack - 24.Sep.2003 9:53:00 PM   
anadigi

 

Posts: 9
Joined: 23.Sep.2003
Status: offline
Yes, I have this problem asme as you, it seems like after I have installed the Microsoft the blaster patch.

(in reply to anadigi)
Post #: 9
RE: 127.0.0.1 well-known port scan attack - 24.Sep.2003 10:43:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
We don't have internal email servers, our users connect to an ISP with outlook.

Yes I would say that I followed the MS recommendations for blaster and created the protocols to block the worm and also applied the patches. My ISA server itself does not have any viruses on it. It's Win2k SP4.

?????

(in reply to anadigi)
Post #: 10
RE: 127.0.0.1 well-known port scan attack - 24.Sep.2003 11:12:00 PM   
jblackmin

 

Posts: 9
Joined: 8.Jul.2003
Status: offline
Also randomly having this problem (for last 3 days). Had changed nothing prior to the problem starting on Monday.

What else is wierd: For 3 days last week, had the same spoof attack, but eventviewer claimed it was coming from 192.168.1.9 (one of my internal addresses). It was also happening on an every-4-hour schedule.

What else is wierd: The last 2 Friday nights, the internal port on my Cisco router appeared to lock up...but not sure if it was really that, or the external interface to the ISA server.

j

(in reply to anadigi)
Post #: 11
RE: 127.0.0.1 well-known port scan attack - 25.Sep.2003 2:13:00 AM   
anadigi

 

Posts: 9
Joined: 23.Sep.2003
Status: offline
I just find out that it could be the spam mail problem. I have found the ip198.64.152.161 from netstat, and find out from the blacklist spam mailserver (www.declude.com).
Hopefully that helps.
I hope others have the same problem will try it out.

(in reply to anadigi)
Post #: 12
RE: 127.0.0.1 well-known port scan attack - 25.Sep.2003 2:19:00 AM   
anadigi

 

Posts: 9
Joined: 23.Sep.2003
Status: offline
Sorry guys, not this ip198.64.152.161.

(in reply to anadigi)
Post #: 13
RE: 127.0.0.1 well-known port scan attack - 25.Sep.2003 9:44:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
No body else has any words of wisdom? It seems ALOT of people are experiencing this...is anyone as frustrated as I am that you've tried to look at everything and you're still getting pages from your isaserver all day and night???
PLEASE HELP if you know how to fix this! I've done everything that everyone's suggested..we have no internal worms!

Thanks

(in reply to anadigi)
Post #: 14
RE: 127.0.0.1 well-known port scan attack - 25.Sep.2003 11:23:00 PM   
jblackmin

 

Posts: 9
Joined: 8.Jul.2003
Status: offline
I was looking through the ISA newsgroup over at http://support.microsoft.com/newsgroups/default.aspx. Just like here...there are probably 20 or more separate threads about this issue. The only thing I saw over there that looks like a possible cause, is the fact that this just recently started happening (since people started applying the latest critical security patches). If there is someone who has "not" applied the new patches, then that would rule it out. The problem started for me about 3 days after patching. This could well be a new bug caused by the patch. Any thoughts?

(in reply to anadigi)
Post #: 15
RE: 127.0.0.1 well-known port scan attack - 26.Sep.2003 1:04:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
Hi guys,

Check out this thread: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010554 which gives an explanation of what the cause is.

Basically it's the blaster worm attempting tohit your external IP, IS tries to respond to a sitename which resolves to 127.0.0.1.
It 'appears' to have been related to critical patches purely due to timing of the blaster worm's release.
End result: There's bugger all you can do about it at this point in time, but there's nothign to fear, ISA is detecting the action (as impotent as ti may be in this case) and all's fine. This may only be a problem if you haev port scan alerts set to fire off other functions like deny filters which could essentially cause a denial of service aaginst yourself!

(in reply to anadigi)
Post #: 16
RE: 127.0.0.1 well-known port scan attack - 26.Sep.2003 2:07:00 AM   
jblackmin

 

Posts: 9
Joined: 8.Jul.2003
Status: offline
It may well be the blaster worm knocking on our doors, but blaster has been out there much longer than this has been going on...

(in reply to anadigi)
Post #: 17
RE: 127.0.0.1 well-known port scan attack - 29.Sep.2003 2:54:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
I had 18 reports of this error over the weekend. All our pcs were off. I've scanned my servers so none of them have the worm. HELP PLEASE! Does anyone know what to do on this????

I hate to turn off the alert for spoofing...

(in reply to anadigi)
Post #: 18
RE: 127.0.0.1 well-known port scan attack - 29.Sep.2003 3:58:00 PM   
winoto

 

Posts: 125
Joined: 10.Sep.2002
From: Montreal
Status: offline
Hi,

I have two ISA's give me the same problem after I installed hotfix for blaster.
The one in head office gives the alert ( port scan) every fews days:
127.0.0.1 X.X.X.X Tcp 80 1567 RST ACK BLOCKED X.X.X.X

The one in branch office generates (IP Spoof)every few hours:
127.0.0.1 X.X.X.X Tcp 80 1437 Spoof X.X.X.X

(in reply to anadigi)
Post #: 19
RE: 127.0.0.1 well-known port scan attack - 29.Sep.2003 10:34:00 PM   
jblackmin

 

Posts: 9
Joined: 8.Jul.2003
Status: offline
To whomever else is having this problem,

Since everyone is not experiencing this, we all must have some configuration issue in common.

Two recent changes I've made is that I've changed from web publishing our Exchange server to server publishing it. The other change is installing Microsoft's latest security patches. I haven't set up our ISA server to access the WWW, so I have to download the patches to another server on our network, copy them over and then run them on the ISA server.

I was just wondering if any others have similar circumstances.

If this problem continues into next weekend, I'm considering removing the latest security patches or changing the Exchange publishing to see if it solves it.

Any other ideas?

Thanks,
j

(in reply to anadigi)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> 127.0.0.1 well-known port scan attack Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts