> > Has anybody out there been seeing scans of port 445 from machines on campus? > > > > Oct 17 13:52:37 myhostname [2370]: attackalert: TCP SYN/Normal scan from > host: haydn.cse.msu.edu/35.9.26.157 to TCP port: 445 > > From what I understand this is an attempt to test for then exploit > avulnerability. > > 1. Anybody know the specifics on this? > > 2. Isn't scanning other departments machines without their consent against > Acceptable Use Policy? There are literally thousands of computer systems either on the MSU campus or associated with MSU users which are compromised, and are scanning port 445 and others. We have been tracking these systems for several months, now. We have been working on notifying the system owners of these systems, but it is a time-consuming process, and we can only handle a small percentage of the worst offenders at any given time. The bulk of the compromised computer systems are either in the residence halls, or connect to our network through the local dialup lines. We do see some departmental computer systems among the list, and we make an effort to notify those sysadmins in a timely fashion. The specific CSE system you list above does show on our list of compromised, scanning systems, but even after discounting many dialup, residence hall, and DHCP-registered computers, still ranks only 18th in the list of top scanners over the past few days. I would imagine that we will be notifying the CSE department shortly, if we haven't already, about that system. The MSU Statement of Acceptable Use (new terminology for what has been called the "Acceptable Use Policy") prohibits intentionally seeking data belonging to other users, attempting to infiltrate, or attempting to damage other computers. To the best of my knowledge, none of the port scanning activity we see is an intentional act on the part of any MSU individual, and therefore would not be an Acceptable Use issue. It's not clear whether port scanning, in and of itself, constitutes an infiltration or intrusion. A port scan can only tell you if a given system may be running a specific service or protocol - it doesn't return data from the target system. Now, most attack tools will follow up on a positive return from a port scan with an attempt to access the system or service in question, generally with the goal of compromising the computer system, and occasionally with the goal of obtaining data from that system. I will say that while the Statement of Acceptable Use may or may not directly prohibit port scanning, our policy is to obtain permission before running any intentional port scans. We either get the permission from the system owner (with the explicit or implied consent from all system users), or from our director and/or from VP Dave Gift, before any system scans are run. The best advice I can give, as always, is to keep your systems patched, turn off unneeded services, and ensure that your firewalls allow access to only those systems which need access. Doug Doug Nelson, Network Manager | [log in to unmask] Academic Computing and Network Services | Ph: (517) 353-2980 Michigan State University | http://www.msu.edu/~nelson/