It's Windows stuff between TCP 139-145 which is normal in Windows networks, however if this is a web server that's worrying, you'll probably want to firewall this completely as it's the only way to completely eliminate that kind of traffic.
It's important to know that this doesn't mean your machine is being directly targetted, there are a lot of viruses out there that port scan machines and try to find boxes they can compromise, this is probably just an average port scan from one of them.
You may remember the blaster virus, this is exactly how it spread ...
█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: [email protected]
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).
Thanks for the response. It is a Win2003 Web Server that is running all web related services (DNS/Mail/FTP/Web). My data center had a major traffic flow on several of the machines about 2 weeks ago. They are still doing research as to exactly what happened. There was a concern that my machine or others on the subnet were infected. But right now they are leaning towards a NetBios subnet scan or DDOS.
The IP disappeared for about 10 minutes and then reappeared. I ran netstat and here is what I found:
C:\Documents and Settings\Administrator>netstat
Proto Local Address Foreign Address State
TCP <computer_name>:3921 <my_ip>:1201 ESTABLISHED
TCP <computer_name>:microsoft-ds user-<their_ip_at_mindspring_cable>:2722 ESTABLISHED
What is ms-ds???
Update: googlism.com said this:
microsoft-ds is microsofts active directory services
microsoft-ds is a port used ever since windows 2000 was introduced
microsoft-ds is open port
microsoft-ds is a file sharing application that allows users to share files through port 445
microsoft-ds is a tcp/udp service on port 445
microsoft-ds is the name of this destination
Could this port/service be turned off?
Yes. It needs to be enabled for Helm Control Panel. Any particular reason?
Yes, I've been looking at software firewalls. It was a clean install with all of the patches applied before going live (including the latest SP). Plus, I had some security things tweaked with a security audit from the installers. Plus, a pretty proactive data center, although no dedicated hardware firewall is directly in front of the box.
I've been reading as much as possible about software firewalls. I realize they are not the ideal solution, as they don't address DDOS issues, but it sounds like they can prevent brute force hacking and a few other nasties.
I've seen some say "as long as you have all the patches applied" you're good. I've seen some say "a software firewall is good". I've seen others say "it ain't nothing unless it's a dedicated hardware firewall".
I'm colocated, so a software firewall seems the best solution. I've read things like "Zone Alarm is good" to you "need Kerrio". I've even seen some say that the new built in Windows Firewall is the way to go.
It is a bit OT, but any thoughts on a Windows Firewall?
If file sharing is enabled then its possible thats one of many potential things, not all of which are problems. Im surpised to hear something like helm needs file/printer sharing enabled to work. Can you restrict it (helm) to specific hosts? The built in 2003 firewall actually inst terrible if used correctly, and you definitly dont want file and printer sharing open over the internet