Event ID/Source search
Keyword searchExample: Windows cannot unload your registry file
Event ID: 15105 Source: Microsoft Firewall
|Source: Microsoft Firewall|
ISA Server detected an all port scan attack from Internet Protocol (IP) address <ip address>.
|English: Request a translation of the event description in plain English.|
To identify what type of traffic caused this event lookup the IP address mentioned in the event in the ISA logs. The logs can be queried in different ways, depending on their format.
In one instance, the ISA logs identified the source of the port scan a computer on the internal network on port UDP/1434 (used by SQL management utilities). Running a sniffier (Ethereal) on that computer revealed that in fact it was the ISA server that was broadcasting on UDP/1434 and the internal computer (running MSDE) was answering to this broadcast. Upon further investigation, wer realized that the ISA was running the SQL Server Service Manager utility (ISA installs MSDE for logging purposes) and this utility was broadcasting on 255.255.255.255 every 5 seconds looking for SQL servers. While doing that was recording the answers from the other computers as potential network scans! Stopping the SQL Server Service Manager on the ISA fixed the problem.
ME319381 describes a condition when this message can be recorded when the Windows Media Player client tries to reuse the UDP port before it has been properly freed at the ISA server. A post-SP1 hotfix is available.
In many situations, normal Internet packet delays may result in this type of message.
|Private comment: Subscribers only. See example of private comment|
|Links: ME319381, Ethereal|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated