Endpoint Protection

 View Only

  • 1.  UDP Port Scan Detection

    Posted Jul 27, 2015 02:04 PM

    Hi There

    Just wanted to find out if customers or partners are picking up several port scans (UDP Ports specifically) , triggered from SEP IPS and source of attack mostly the domain controllers?

    The concern I have is I do not want to exclude them as it may be an indication the domain controller has been compromised and I know the customer has been heavily infected with Backdoor malware (Houdini variant) - Backdoor VBS Dunihi

    I have tried to research if Domain Controller would try connect to machines UDP ephemeral port ranges for any reason and can not find anything saying this is normal behavior?

    Also should I then create a rule to block these port scans? Port seems to change?

    Somebody is scanning your computer.  Your computer's UDP ports:   49445, 51127, 60636, 58704 and 50265 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   53920, 62047, 55332, 54978 and 50907 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   54428, 62216, 62220, 61492 and 61493 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   55052, 62236, 65532, 49722 and 59798 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   55091, 57318, 58272, 51649 and 52590 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   55509, 52103, 52745, 53160 and 54755 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   57445, 52315, 56399, 55822 and 60884 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   58504, 59305, 53659, 53660 and 57445 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   59704, 57510, 57509, 58171 and 57511 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   60486, 60487, 60488, 53581 and 61609 have been scanned from 
    Somebody is scanning your computer.  Your computer's UDP ports:   60777, 60778, 62762, 62763 and 53026 have been scanned from
    Somebody is scanning your computer.  Your computer's UDP ports:   61079, 56231, 60803, 50195 and 53559 have been scanned from
    Somebody is scanning your computer.  Your computer's UDP ports:   62415, 61589, 61590, 54034 and 57220 have been scanned from
    Somebody is scanning your computer.  Your computer's UDP ports:   63520, 63519, 63521, 58988 and 57536 have been scanned from 

     

    Don't know if anyone else is experiencing this?

     

     

     



  • 2.  RE: UDP Port Scan Detection

    Posted Jul 28, 2015 11:15 AM

    Haven't seen something like this but you should investigate further. Not sure why it would connect over high random ports.



  • 3.  RE: UDP Port Scan Detection

    Posted Aug 14, 2015 12:04 PM

    We are seeing this occur as well.

    Is it possible that the client PC is initiating communication with the DC and the DC is responding to the client on an ephemeral port.

    If it finds the port closed, it hops to another one.  

    According to what I've read if 4 or more ports are accessed in less than 200 seconds it gets flagged as a port scan.

    I'm guessing.