>
> Has anybody out there been seeing scans of port 445 from machines on campus?
>
>
>
> Oct 17 13:52:37 myhostname [2370]: attackalert: TCP SYN/Normal scan from
> host: haydn.cse.msu.edu/35.9.26.157 to TCP port: 445
>
> From what I understand this is an attempt to test for then exploit
> avulnerability.
>
> 1. Anybody know the specifics on this?
>
> 2. Isn't scanning other departments machines without their consent against
> Acceptable Use Policy?
There are literally thousands of computer systems either on the MSU campus
or associated with MSU users which are compromised, and are scanning port
445 and others. We have been tracking these systems for several months, now.
We have been working on notifying the system owners of these systems, but it
is a time-consuming process, and we can only handle a small percentage of the
worst offenders at any given time.
The bulk of the compromised computer systems are either in the residence halls,
or connect to our network through the local dialup lines. We do see some
departmental computer systems among the list, and we make an effort to notify
those sysadmins in a timely fashion.
The specific CSE system you list above does show on our list of compromised,
scanning systems, but even after discounting many dialup, residence hall, and
DHCP-registered computers, still ranks only 18th in the list of top scanners
over the past few days. I would imagine that we will be notifying the CSE
department shortly, if we haven't already, about that system.
The MSU Statement of Acceptable Use (new terminology for what has been
called the "Acceptable Use Policy") prohibits intentionally seeking data
belonging to other users, attempting to infiltrate, or attempting to damage
other computers. To the best of my knowledge, none of the port scanning
activity we see is an intentional act on the part of any MSU individual,
and therefore would not be an Acceptable Use issue. It's not clear whether
port scanning, in and of itself, constitutes an infiltration or intrusion.
A port scan can only tell you if a given system may be running a specific
service or protocol - it doesn't return data from the target system. Now,
most attack tools will follow up on a positive return from a port scan with
an attempt to access the system or service in question, generally with the
goal of compromising the computer system, and occasionally with the goal of
obtaining data from that system.
I will say that while the Statement of Acceptable Use may or may not directly
prohibit port scanning, our policy is to obtain permission before running any
intentional port scans. We either get the permission from the system owner
(with the explicit or implied consent from all system users), or from our
director and/or from VP Dave Gift, before any system scans are run.
The best advice I can give, as always, is to keep your systems patched, turn
off unneeded services, and ensure that your firewalls allow access to only
those systems which need access.
Doug
Doug Nelson, Network Manager | [log in to unmask]
Academic Computing and Network Services | Ph: (517) 353-2980
Michigan State University | http://www.msu.edu/~nelson/
|