Windows 2000 Server pings and scan ports on the network

  • Thread starter Thread starter Karl
  • Start date Start date
K

Karl

Hi we have servers that sometimes ping and scan ports of some PC's.
We have a firewalled network, updated anti-virus. We cant see any strange
session entries on the system. Do w2k server has some services or
applications that have that behaviour and is not a problem ?
It can be Active Directory or the centralized AVirus solution doing that ?
Is there any method to check what is triggering that events ?

TIA,
Karl
 
First I would make sure that they have been scanned for viruses/worms with
the latest definitions from the vendor and that they have been patched with
the latests critical updates AFTER they have been backed up/Ghosted in case
there is a problem or conflict with an update. You can also use TCPView from
SysInternals [free] to view what network related processes are running on
the servers including what ports and application they map to. It could be a
legitmate application such as network scanning program or even something
like Microsoft Baseline Security Analyzer but I would think that should be
apparent by looking at the applications installed on the servers and you
might want to look at Scheduled Tasks also since it seems to be not
constant. I don'y believe it is Active Directory related.--- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView
 
Slow link detection uses ICMP, but I don't know anything in AD that would
cause the ports scans..

227260 How a Slow Link Is Detected for Processing User Profiles and Group
Policy
http://support.microsoft.com/?id=227260

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Giving us more information about what protocols [ICMP, TCP, UDP, etc] and
both source and destination ports and IP addresses would be helpful in
determining what the purpose is.

Using a sniffer such as Ethereal would be helpful at looking at packet
content, and installing a software firewall such as Kerio or Sygate on the
machine sending the traffic would let you see which program initiated the
traffic and whether or not it was just a response from another computer
making a request. Windows networking such as NetBIOS is quite frequently
chatty at unexpected times, and you quickly learn it's difficult to
investigate and determine the cause of all such traffic.

This may also help:

http://securityadmin.info/faq.asp#hacked
 
Back
Top