• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: 127.0.0.1 well-known port scan attack

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> RE: 127.0.0.1 well-known port scan attack Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: 127.0.0.1 well-known port scan attack - 14.Oct.2003 4:25:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
Hi guys,

An observation that may be relevant.
On September 3rd I applied the following updates to my ISA box.
823718 - Update for MS-DAC
822831 - Recommended update for Windows 2000

From the point on I started getting the 127.0.0.1 port scans.

I've now got a gut feel it's 823718 that broke caused this.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823718 is the original article.
It talks about fixes for buffer overflows blah blah... which was the initial problem with blaster - a buffer overflow

Amazingly these alerts seem to have now just stopped. My last was October 3rd and haven't seen one since yet I've had no patches of any sort applied that day or in the days prior to that.

Any one else had a similar experience in identifying the above patch as "the culprit" for the errors? or noted that they've now gone away?

[ October 14, 2003, 04:50 AM: Message edited by: Tolk ]

(in reply to anadigi)
Post #: 41
RE: 127.0.0.1 well-known port scan attack - 20.Oct.2003 10:12:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
I'm still getting them but only a couple a day now.
detected a well-known port scan attack from Internet Protocol (IP) address 127.0.0.1. A well-known port is any port in the range of 1-2048. For more information about this event, see ISA Server Help.

(in reply to anadigi)
Post #: 42
RE: 127.0.0.1 well-known port scan attack - 22.Oct.2003 1:56:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
Just started getting them again...back to square one...trying sniffer..getting almost every hour..

Here we go again..

(in reply to anadigi)
Post #: 43
RE: 127.0.0.1 well-known port scan attack - 23.Oct.2003 2:35:00 PM   
Tbell

 

Posts: 16
Joined: 13.Aug.2003
Status: offline
So, still trying to research this. I've noticed one of my servers posting the following in the isa logs:

IPaddress of SERVER anonymous - 2003-10-22 00:02:12 æname of isaserverÆ -wpad.domainname.com

These items seem to coincide with the time I get the intrusion alerts. Possibly related? Any thoughts?

(in reply to anadigi)
Post #: 44
RE: 127.0.0.1 well-known port scan attack - 24.Oct.2003 5:32:00 AM   
shon

 

Posts: 15
Joined: 26.Apr.2001
From: Platte City, MO
Status: offline
Which log are you finding these in the IP blocking or firewall?

I getting these alerts more and more everyday.

(in reply to anadigi)
Post #: 45

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> RE: 127.0.0.1 well-known port scan attack Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts