Udp service sweep

Computing.Net > Forums > Security and Virus > Udp service sweep

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Udp service sweep

Name: 701598981
Date: October 17, 2005 at 06:07:00 Pacific
OS: Windows XP Professional 5
CPU/Ram: Pentium 4, Processor Spee

Comment:

The company IDS sensors are alerting on the UDP_SERVICE_SWEEP sig. The alert specifys UDP sweeps directed to port 389 from this PC. teh souce port seems to increment by one. Using TDI mon I can see that it is the lsass.exe process that is calling up these connections. The destination IPs seem to be repeated rather than random . I have scanned with many spyware AV programs but nothing is found. I can not see any suspicious processes running in task manager.
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CLEANUP UDP:0.0.0.0:4771 SUCCESS
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CLOSE UDP:0.0.0.0:4771 SUCCESS
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CREATE UDP:0.0.0.0:0 SUCCESS Address Open
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 SUCCESS Error Event
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 SUCCESS Datagram Receive Event
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 SUCCESS ErrorEx Event
11:33:12 lsass.exe:1364 82164F90 TDI_QUERY_INFORMATION UDP:0.0.0.0:4772 SUCCESS Query Address
11:33:12 lsass.exe:1364 82164F90 TDI_CONNECT UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS
11:33:12 lsass.exe:1364 82164F90 TDI_SEND UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS Length:255
11:33:12 lsass.exe:1364 82164F90 TDI_EVENT_ERROREX UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS Error: F895F994
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS Datagram Receive Event: NULL
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS ErrorEx Event: NULL
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4772 10.229.124.107:389 SUCCESS Error Event: NULL
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CLEANUP UDP:0.0.0.0:4772 SUCCESS
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CLOSE UDP:0.0.0.0:4772 SUCCESS
11:33:12 lsass.exe:1364 82164F90 IRP_MJ_CREATE UDP:0.0.0.0:0 SUCCESS Address Open
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4773 SUCCESS Error Event
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4773 SUCCESS Datagram Receive Event
11:33:12 lsass.exe:1364 82164F90 TDI_SET_EVENT_HANDLER UDP:0.0.0.0:4773 SUCCESS ErrorEx Event
11:33:12 lsass.exe:1364 82164F90 TDI_QUERY_INFORMATION UDP:0.0.0.0:4773 SUCCESS Query Address
11:33:12 lsass.exe:1364 82164F90 TDI_CONNECT UDP:0.0.0.0:4773 10.224.31.69:389 SUCCESS
11:33:12 lsass.exe:1364 82164F90 TDI_SEND UDP:0.0.0.0:4773 10.224.31.69:389 SUCCESS Length:255
Thanks
PAul

Sponsored Link

Ads by Google

Response Number 1

Name: Zenith
Date: October 17, 2005 at 08:59:41 Pacific

Reply:

Port 389 is used for LDAP. Got this service/query running on the PC?
98% of the population is asleep. The other 2% are staring around in complete amazement, abject terror, or both.

javascript udp udp broadcast local services UdP	Starting NFS quotas: Cannot register service: RPC: Unable to receive; errno generic host process for win32 services requesting an outgoing connection w udp port 123 windows generic host service
See More

Trojan horse Downloader.S...

Bloodhound.Morphine HELP!

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Udp service sweep

malware j detected on my computer m

Summary

www.computing.net/answers/security/malware-j-detected-on-my-computer-m/20098.html

Fastclick all ther time

Summary

www.computing.net/answers/security/fastclick-all-ther-time/12489.html

How to close open SMTP port?

Summary

www.computing.net/answers/security/how-to-close-open-smtp-port/6644.html

From the Geek Dictionary
486 DX - An 80486 Intel processor that has an integrated math coprocessor.

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Boot sequence

Can't enable bluetooth

Timmers Help

how to test web site on iis 6??

Computer Turns On and Off

All Awaiting Reply

Tom's News
Commodore 64 Emulator Returns to App Store

Check Out the Homemade Portable GameCube

Apple Working on "World Mode" iPhone

EA: Single-Player A Thing of the Past

Yahoo Officially Lands on China's Porn List

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE