Port Scanning From MicroSoft?
This mornings activity log shows this:
. . .
From 23.102.132.99 – 2 packets to tcp(3389)
From 23.102.133.164 – 1 packet to tcp(3389)
From 23.102.134.239 – 2 packets to tcp(3389)
From 23.102.136.210 – 3 packets to tcp(3389)
From 23.102.136.222 – 2 packets to tcp(3389)
From 23.102.137.62 – 3 packets to tcp(3389)
From 23.102.137.101 – 2 packets to tcp(3389)
From 23.102.138.184 – 1 packet to tcp(3389)
From 23.102.138.216 – 1 packet to tcp(3389)
From 23.102.139.11 – 2 packets to tcp(3389)
From 23.102.139.27 – 5 packets to tcp(3389)
From 23.102.140.90 – 2 packets to tcp(3389)
From 23.102.140.158 – 3 packets to tcp(3389)
From 23.102.161.114 – 1 packet to tcp(3389)
From 23.102.170.1 – 2 packets to tcp(3389)
From 23.102.170.48 – 4 packets to tcp(3389)
From 23.102.171.49 – 2 packets to tcp(3389)
From 23.102.172.233 – 2 packets to tcp(3389)
From 23.102.173.124 – 2 packets to tcp(3389)
. . .
These are either mostly or entirely MicroSoft.com addresses. Any ideas as to what legitimate use this probing might have? I know that 3389 is MS-RDP. My question is why would a ‘reputable’ firm be scanning my systems for open connections on that port?
3 thoughts on - Port Scanning From MicroSoft?
James B. Byrne wrote on Wed, 20 Aug 2014 11:06:20 -0400:
Google says: http://security.stackexchange.com/questions/26486/failed-rdp
-brute-force-attack-from-microsoft-ip-address
Kai
Azure servers.
You
Easy.
1. Most of these bots are probably zombie infections, using resources paid for by someone else.
2. These bots use CPU, memory, and bandwidth, which is how these providers make their money. The more you use, the more money they make.
Wondering why they don’t take measures to stop it is like wondering why Exxon hasn’t started building Tesla Supercharger stations everywhere.