Outbound random traffic - source port increments by 1

[dcranford]

I saw a thread here dated about 4 weeks ago and it sounds like I am having similar issues. I wonder if something new is making the rounds...

I've got PCs randomly polling the web; for example, starting at source port 1500 and the destination port of 80. The next traffic attempts 1501, then 1502, and so on. These occur at the rate of two attempts per second. I've seen the port numbers as high as 60000+.

E-Trust (our enterprise security suite), Security Essentials, and SuperAntiSpyware report nothing. For the most part, most of the PCs have automatic updates turned on. The few that do not, we update manually but it does not help. It does seem to be limited to "non-server" Windows OS (XP and some older Win 2000 PCs). The traffic always begins when the user open Internet Explorer. I've used Sysinternals Autoruns and see nothing unexpected.

Any one have knowledge of this type of behavior?

 

[goombawaho]

I don't have knowledge of that particular behavior or what it might be, but I would scan one of the afflicted machines with one or more of the following:

GMER
ComboFix (need to remove your AV before running it)
Radix
MalwareByte's anti-malware

 

[Noway2]

Outbound connections to port 80 will originate from a higher port number, which is generally random. Perhaps the algorithm used to pick a port starts at 1500 and then increments by one on each subsequent connection.

 

[dcranford]

The 1500 I was using was an example. It's been hard to find the exact starting port being used due to the inablity to monitor the output 24/7 but it is near that number. I've got CA scheduled to contact me today once I can get physically to one of these PCs. Thanks for the input so far. Your time is appreciated.