Blackice Detecting TCP and UDP probes from printserver

Blackice Detecting TCP and UDP probes from printserver
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Blackice Detecting TCP and UDP probes from printserver Ishmealm 08-31-2006
Posted by =?Utf-8?B?SXNobWVhbG0=?= on August 31, 2006, 11:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,
I've got a user running Blackice and he's getting about 15,000 probes
a day from one of our print servers. Everything that I've seen points to
someone maliciously running scans, but I don't think that this is the case
this time. Is there any reason in the Window's world that a server would
probe a workstation? I don't see anything in the event logs that corresponds
to the probe times and he doesn't use that print server. Here's a sample of
the Blackice log:

Time, Event, Intruder, Count
8/24/2006 1:07:23 PM, UDP_Probe_SNMP, PRINT-37, 519
8/24/2006 1:08:22 PM, TCP_Probe_Other, PRINT-37, 10290
8/24/2006 7:32:57 PM, UDP_Probe_SNMP, PRINT-37, 564
8/24/2006 7:33:30 PM, TCP_Probe_Other, PRINT-37, 11382
8/25/2006 6:15:36 PM, UDP_Probe_SNMP, PRINT-37, 923
8/25/2006 6:16:09 PM, TCP_Probe_Other, PRINT-37, 20078
8/28/2006 7:20:15 PM, UDP_Probe_SNMP, PRINT-37, 1124
8/28/2006 7:22:11 PM, TCP_Probe_Other, PRINT-37, 21563
8/29/2006 8:19:34 AM, UDP_Probe_SNMP, PRINT-37, 75
8/29/2006 8:20:30 AM, TCP_Probe_Other, PRINT-37, 1914
8/29/2006 1:15:15 PM, UDP_Probe_SNMP, PRINT-37, 382
8/29/2006 1:15:41 PM, TCP_Probe_Other, PRINT-37, 8811


Posted by =?Utf-8?B?SXNobWVhbG0=?= on August 31, 2006, 11:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Nevermind, one of our super genuises figured out that there was once a print
queue that had the same IP as this user's PC. Someone apparently still has
that printer mapped and sent a print to it and never cancelled it.

Similar ThreadsPosted
detecting lame passwords February 12, 2008, 11:55 am
Detecting Admin Privileges Via Code July 22, 2008, 2:36 pm
Detecting MSOffice documents from the command line. July 5, 2007, 5:00 pm
Find very quick method in detecting once the usb key is plugged July 21, 2007, 1:00 pm
Detecting unwanted home wireless network connections from your neighbors June 9, 2007, 6:32 pm

The site map in XML format XML site map

Contact Us | Privacy Policy