Welcome to ISAserver.org

RE: 127.0.0.1 well-known port scan attack

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> RE: 127.0.0.1 well-known port scan attack

Page: << < prev 1 [2] 3 next > >>

Message

<< Older Topic Newer Topic >>

RE: 127.0.0.1 well-known port scan attack - 29.Sep.2003 10:55:00 PM

anadigi

Posts: 9
Joined: 23.Sep.2003
Status: offline

I wonder people have this problem and also have other sits with well known attack. The site with all the IPs are 66.220.17.152; 66.22.17.50;66.220.17.51, etc.
I found out almost every time this site has a well known port scan attack!

(in reply to anadigi)

Post #: 21

Featured Links*

RE: 127.0.0.1 well-known port scan attack - 30.Sep.2003 3:47:00 AM

Guest

I received the same messege on my ISA server at my job but not at home. For the most part they are configued the same. My ISA serve at home have a few more ports open for games and stuff like that. If somebody find the problem, let me know.

(in reply to anadigi)

Post #: 22

RE: 127.0.0.1 well-known port scan attack - 30.Sep.2003 10:25:00 AM

mag

Posts: 1
Joined: 30.Sep.2003
From: Russia
Status: offline

Hi, I have the same problem from Saturday. The strange thing is that attacks are happening mostly when there is nobody at work
[Confused]

(in reply to anadigi)

Post #: 23

RE: 127.0.0.1 well-known port scan attack - 30.Sep.2003 2:15:00 PM

Tbell

Posts: 16
Joined: 13.Aug.2003
Status: offline

Exactly! I have all our users shut down their pcs at night...I mostly get the alerts at night and during the weekends(18 this weekend!). I have no exchange server..all I've done is load the MS patches and set up the 2 protocol rules Microsoft recommended for Blaster and SoBig. That's it..then we start getting these. I'm glad other people are as frustrated! I wonder if MS is even aware of this if it is a security patch problem. What's really strange too is that sometimes I get the alert and it's from our external DNS IP from our ISP???

(in reply to anadigi)

Post #: 24

RE: 127.0.0.1 well-known port scan attack - 3.Oct.2003 12:44:00 PM

jblackmin

Posts: 9
Joined: 8.Jul.2003
Status: offline

This problem has mysteriously stopped. Haven't had one of these 127.0.0.1 spoofs for the past 27 hours.

Is anyone else still experiencing this issue?

j

(in reply to anadigi)

Post #: 25

RE: 127.0.0.1 well-known port scan attack - 3.Oct.2003 8:21:00 PM

harrida1

Posts: 6
Joined: 14.Mar.2002
Status: offline

Well I have been seeing the same for scan from 127.0.0.1 for about 3 weeks about, probably same time I completed Patching. The scans stopped for almost the entire day 10/1, then saw two attempts that night. Since then I see attempts almost every 40-60 minutes. WHAT IS GOING ON [Confused]

(in reply to anadigi)

Post #: 26

RE: 127.0.0.1 well-known port scan attack - 3.Oct.2003 9:37:00 PM

jstutts

Posts: 9
Joined: 3.Oct.2003
From: California
Status: offline

As stated earlier, if it is the Welchia (Nachi) worm it should be simple to fix. Just disconnect your Firewall from the Internet. Run the MS patch on all your Windows machines (servers included). (Make sure the patch takes though) Run Norton's Stinger tool and scan and clean each system (including the ISA server - any machine with Windows2K and XP servers included). You should also run the dcombobulator tool to disable the part of the RPC service affected. Be advised that I found a few machines that would not stop pinging the network due to a problem with the OS installation and had to re-install the OS on those machines. You can also manually delete the virus by going into winnt/systems32/wins and deleting the dllhost.exe and svchost.exe files. svchost should delete with no problem but if the dllhost file is active the system won't let you delete it. In that case disconnect the cable from the NIC, re-start and then try to delete it. If that fails, which it did once for me, boot into command mode or "DOS" mode and delete it that way. That seemed to work for me.

(in reply to anadigi)

Post #: 27

RE: 127.0.0.1 well-known port scan attack - 3.Oct.2003 9:42:00 PM

jstutts

Posts: 9
Joined: 3.Oct.2003
From: California
Status: offline

One more thing....I know that in our case, even though we patched and cleaned our computers, the worm is still on our network looking for hosts to infect. Also be aware that even though the worm is made for winnt, win2k, and winxp machines, win95, 98, and ME will become active carriers of the virus. So if you have any of thos on your network you will need to fully clean them and make sure they are clean before adding them back to the network.

(in reply to anadigi)

Post #: 28

RE: 127.0.0.1 well-known port scan attack - 4.Oct.2003 1:00:00 AM

anadigi

Posts: 9
Joined: 23.Sep.2003
Status: offline

I don't think it is related to internal virus, because I have the McAfee virus protection(uptodate dats) on all computers; all computer are patched. I even have the stinger scanning for twice on each computer!

(in reply to anadigi)

Post #: 29

RE: 127.0.0.1 well-known port scan attack - 6.Oct.2003 6:16:00 PM

bluvg

Posts: 9
Joined: 6.Oct.2003
Status: offline

Is this caused by SP4? I only started getting these messages after SP4.

(in reply to anadigi)

Post #: 30

RE: 127.0.0.1 well-known port scan attack - 6.Oct.2003 6:49:00 PM

harrida1

Posts: 6
Joined: 14.Mar.2002
Status: offline

After reading the posts on this newsgroup I decided to run the KB824146scan tool again this morning, guess what I found an unpatched system. Its been 3-4 hours since patching and no 127.0.0.1 port scans. Will update if they appear again.

(in reply to anadigi)

Post #: 31

RE: 127.0.0.1 well-known port scan attack - 6.Oct.2003 10:52:00 PM

harrida1

Posts: 6
Joined: 14.Mar.2002
Status: offline

Forget about my last post 8hrs later I have two port scans from 127.0.0.1. All of my stations are patched with MS RPC fix. I update Virus Sig's everyday and scan for Viruses, I don't think thats the problem. Any Ideas?? [Confused]

(in reply to anadigi)

Post #: 32

RE: 127.0.0.1 well-known port scan attack - 7.Oct.2003 7:10:00 PM

Tbell

Posts: 16
Joined: 13.Aug.2003
Status: offline

Think we're all stumped here! I've run the welchia tool on all our pcs and servers to no avail - no virus found still getting alerts practically every 3 hours. As well, I had recently loaded sp4 and all the current ms updates. How can we get MS to look at this????
I'm a novice with ISA, hoping that a pro out there could help lead us in the right direction. Using the sniffer on the firewall pointed me to no direction other than pings to our ISP DNS address.??????

Anyone as frustrated as me out there? I'm a small business and have other projects that need to be done, I've been fighting this since the beginning of September! [Mad]

(in reply to anadigi)

Post #: 33

RE: 127.0.0.1 well-known port scan attack - 8.Oct.2003 3:27:00 AM

isaserver22

Posts: 1
Joined: 8.Oct.2003
Status: offline

I was experiencing this last month (after I installed Microsoft's latest security updates). I removed the updates and have had no more problems for over 2 weeks now. I don't plan on re-installing them any time soon (at least not until I hear of a new virus which actually exploits those vulnerabilities). You would think that Microsoft would take the time to actually test these security updates before screwing everybody's ISA server all up! My theory is that what you are seeing is the blaster worm looking for unpatched systems...adding the latest patches lowers ISA server's IQ...thus making it think it is scanning itself. Why it is affecting some ISA servers and not others is anybody's guess...just know that axing the patches fixed mine.

(in reply to anadigi)

Post #: 34

RE: 127.0.0.1 well-known port scan attack - 9.Oct.2003 1:18:00 AM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

Guys,

You've missed the point. As noble as it is to ensure all your internal machines are patched and up to date its EXTERNAL machines infected with Welchia that are causing the problem.

See http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010554#000005 for further info.

(in reply to anadigi)

Post #: 35

RE: 127.0.0.1 well-known port scan attack - 9.Oct.2003 3:54:00 PM

tin

Posts: 3
Joined: 9.Oct.2003
Status: offline

I recently updated my ISA server, right after the updates I got attacks from 172.30.2.155 which is my external IP address on my server. Then it seems that ISA is rejecting the external nic so now I have to use just one nic on the ISA server. Anyone got ideas on how to get my external nic to work again?

Tin

(in reply to anadigi)

Post #: 36

RE: 127.0.0.1 well-known port scan attack - 9.Oct.2003 5:11:00 PM

tin

Posts: 3
Joined: 9.Oct.2003
Status: offline

(in reply to anadigi)

Post #: 37

RE: 127.0.0.1 well-known port scan attack - 13.Oct.2003 3:23:00 PM

Tbell

Posts: 16
Joined: 13.Aug.2003
Status: offline

So just FYI, I replaced my ISA Server this weekend along with installed a new DC. Had all my pcs down all weekend and only my servers up. Still got these errors, EVERY HOUR. I know you're saying that it means it's working, but If I turn off these alerts, I won't know if someone really gets in....

(in reply to anadigi)

Post #: 38

RE: 127.0.0.1 well-known port scan attack - 13.Oct.2003 4:02:00 PM