If you don't know who is scanning you, I would definatly investigate the scans. Although, you may think that the server is secure, there are always new flaws/vulnerabilities that you may not know about. If you are seeing a scan a couple times a day, someone is certainly checking out your ISA server. Probably using NMAP. You may want to do a reverse lookup on the ip address in you log, and give the company a call regarding the scans. It may stop an attack before it happens.
I too have been receiving port scans from 127.0.0.1. The thing that sucks is it emails my cell phone with these alerts. I get no sleep. After many moons of trying to figure it out......I finally said screw it. Well, I skimmed the Firewall Logs again and noticed the following;
A program called AutoProxy is trying to acces the IP: 127.0.0.1 and Port:#### (these seem to be random ports, hence the alert seeing it as a scan)
Well...I found what IP they were coming from. I went to the Internal machine and found the following as well:
I deleted the key....it came back immediately after a refresh.
In the System32 folder:
lzfqndc.exe and .dll
I opened the DLL file with wordpad and at the bottom of the file it mentioned Autoproxy. So I rebooted into safemode and removed the registry key and deleted the two files in System32.
I am waiting to see if that was the cause. So far I have not received an alert yet.
Sorry for the long winded story, but I had lot's of coffee today.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.