Repeated logon attempts from different ports of same IP

Discussion in 'Security Software' started by Mark D. Meyer, Mar 29, 2005.

  1. Help !

    I have one workstation that is attempting to logon over and over at
    different ports. It will try 2536, then .20 seconds later, 2539 and so on. I
    have reloaded the XP Pro workstation from scratch and it reappeared
    immediately. This will go on for thousands of times a day.

    I am running McAfee VirusScan Enterprise 8.0i, McAfee Desktop Firewall,
    SpyBot Search & Destroy, and Ad Aware. None of them can detect anything. I
    have my MS Windows 2003 Server locked down pretty tight, but really need to
    know what it testing my security over and over. I checked with my ISP and
    nothing out of the ordinary is going out over the internet either.

    Any help will be very appreciated. Sleep will come next.....


    Mark D. Meyer, Mar 29, 2005
    1. Advertisements

  2. Mark D. Meyer

    Roger Abell Guest

    Backup here . . .
    You have a domain environment?
    The source port varies, but what is the target port?
    Is it the workstation, or some account when used on that workstation
    that is attempting login to the server? If it is a domain account, have
    you examined it, its login script, its startup items?
    Roger Abell, Mar 29, 2005
    1. Advertisements

  3. No it is not a domain environment, just a stand alone server.
    It is always from the same ip trying to logon to the server at a different
    port each time. ie....2546,2459,2462,2465 and so on. It will do it thousands
    of times a day.
    It appears to be the workstation.

    Thanks so far....:)

    Mark D. Meyer, Mar 29, 2005
  4. Mark D. Meyer

    Dave Guest

    what is showing you this activity? how do you know its trying to 'logon'?
    have you put a sniffer on the net to see what the traffic really is? you
    know the ip its coming from, what is that machine? what does netstat on
    that machine show it is doing?
    Dave, Mar 29, 2005
  5. it is always from the same IP. It is doing 540, 680, 538 and one other over
    and over. I am looking at it in the Event Viewer. The PC it is coming from is
    a XP Pro box I just reloaded from scratch trying to get rid of this problem.
    Haven't tried net stat yet.....
    Mark D. Meyer, Mar 29, 2005
  6. Something else I noticed today when I was using TCPView. It is always ending
    with a epmap. Not one, but 5 ususally...The ports just keep waiting...over
    and over and over....
    Mark D. Meyer, Mar 31, 2005
  7. Mark D. Meyer

    Dave Guest

    unfortunately you are only providing bits and pieces of information, not
    enough for anyone to really be able to figure out what your problem may be.
    we can't read your mind, only what you type into a message. if you want
    some specific answers try replying with some specifics to the last two sets
    of specific questions rather than just throwing in another disjointed piece
    of the puzzle.
    Dave, Mar 31, 2005
  8. Believe me, if you will tell me exactly what you want / need to know, I will
    get it for you.

    Let me see if I can make this as clear as possible.

    I have the latest engine and DAT for McAfee VirusScan 8.0i, as well as for
    Desktop Firewall, Windows XP Pro, AdAware, and SpyBot. I have no drives
    mapped or printers. These two systems are only within the same subnet. On the
    Windows XP Pro box, the system will ( every 1/2 second ) try to log on to the
    NtLmSss on the Windows 3003 Server. It shows up in the Security Event Log on
    the server as .....

    Event 538 Logon/Logoff
    680 Account Logon
    576 Priviledge Use
    540 Logon/Logoff

    Each time the 540 event is from the same PC, same IP, but different port. It
    also moves up ports by 3 at a time. ie...2546, 2549, 2552 and so on.

    In TCPView on the workstatioin, it will show the latest as listening and the
    four to five instances as waiting.

    If there is any other info that you think will help, by all means let me
    know and thank you for your assistance so far....

    Mark D. Meyer, Mar 31, 2005
  9. Mark D. Meyer

    Dave Guest

    ok, that helps a bit. you don't have a tcp/ip problem, the port numbers
    being used are meaningless in this problem. it is normal for a machine to
    increment or even randomly pick an unused port to make outgoing connections.
    the tcpview info may not mean anything useful either, it just confirms that
    the machine is making the connection.

    the more interesting information would be from netstat -ao, this would show
    you what process is making the connections and may give a clue about why.
    also check the workstation's logs and see if it is logging any errors. you
    may want to give more specifics on the event log entries, maybe some of the
    details would mean something to someone who knows more about that type of
    problem. for now all i see that you may want to look at is this article to
    see if it has any clues:;en-us;822774
    Dave, Mar 31, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.