Hi, I am newbie in windows server administration. Our Info security found that the windows 2003 jump server scanning multiple ips on vulnerable ports(port 445 and 139), and looks like all of the hosts are AD servers, ask me to take take a look and explain.. I am totally blank how do I resolve this issue? So many scans is an indication of a malicious behavior, but it could also be some scripts or something doing such scans. How do I make sure its not a malicious behavior. Thanks

First of all, you need to understand what is jump server and why it's being hosted in your network (if it's not known yet). A typical jump box is a server on a DMZ network segment with access to those critical hosts and ports the box needs access to. In case of Windows network, a jump host is usually configured as a Terminal Server wherein multiple admins can log on and connect other servers in a secure network. If a remote user wants to work with critical assets, they first log into the jump box over a remote access mechanism like Remote Desktop. Having logged into the jump box, the remote users connect to other machines on the critical network and do their work. Generally, jump host has internet access and used for downloading applications/patches etc.. and is used as a junction point to transfer data across secure network wherein Internet is not allowed. The jump box is heavily defended and of most services are turned off, most software un-installed, the box is fully patched, automatic-updated, anti-virus-ed, anti-spyware-ed, host-firewalled etc.. The only necessary ports are opened on the jump host to the enterprise network such as RDP port 3389, SMB Port for file transfer 445, ports needed to communicate with AD (389-LDAP, 53-DNS, 445, 5722-RPC, 123-Win Time, 138-DFS and GP, 139- User and Computer Authentication, Replication) and you can defend that further with a VPN. Jump host doesn't in fact scans any ports own its own until and unless some user is running port scanning utilities from jump server, rather it establishes connection with the other servers running specific services using designated ports. The jump box is usually setup on a DMZ n/w and you can control which hosts and services the jump box has access to on the critical network. If you suspect of some malicious network activity on jump host, involve your network/firewall team ( I am sure you might have those teams ) and seek their help in diagnosing issues further... Hope that helps, Thanks Press any key... What the ... Where's any key ? This posting is provided "AS IS" with no warranties or guarantees and confers no rights. About Me ?

Hi, execute netstat -ano command and check ports 445,139 established sessions and take PIDs and thru PIDs you can get the process regards, Aryaan

Thank you for reply Santosh, My netstat output showing PID 0 for every connection between jumserver and destination on port 445. This behavior may occur if a local program connects to a TCP port, and then stops. The programs TCP connection to the port is left in a Timed Wait state. I am not able to find which service is using that port. I also observe some other services using tcpview, which are communicating to the same server. Output of the Tcpview is as follow SERVICES PID PORT NO Destination PORT BESClient.exe 1284 TCP server name 2233 server name 1025 ESTABLISHED lsass.exe 564 TCP server name 1172 server name 1025 ESTABLISHED [System Process] 0 TCP server name 1173 server name: microsoft-ds microsoft-ds TIME_WAIT Any help regarding how to find out what exactly causing the jump server to communicate on 445 destination port and the connection stands in time-wait condition. Thaks Adi

Try Port Reporter. Download Port Reporter a logging service for Windows that logs TCP/IP port usage data. http://www.microsoft.com/en-us/download/details.aspx?id=9964 Port Reporter logs TCP and UDP port activity on a local Windows system. Port Reporter is a small application that runs as a service on Windows 2000, Windows XP, and Windows Server 2003. On Windows XP and Windows Server 2003 this service is able to log which ports are used, which process is using the port, if the process is a service, which modules the process has loaded and which user account is running the process. If port reporter do not help then for detailed n/w analysis, you might want to use NetMon. Download NetMon : http://www.microsoft.com/en-us/download/details.aspx?id=4865 Also, if you need help on NetMon, there is a dedicated Forum http://social.technet.microsoft.com/Forums/en/netmon ThanksI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. About Me ?

Hi, I am seeing a system process listed only as System PID : 4 , which is talking to multiple destination ips on port 445. I know port 445 is used as smb over tcp/ip. But why system process need to scan the AD server on network? So is this a normal behaviour that the system process try to reach other AD server(scan) on destination port microsoft-dc(445)? Can there is any way I can find out who(I know the process is SYSTEM) and why exactly trying to contact other AD server on port 445? ThanksAdi