Windows messages

Rita Seplowitz Saltz rita at princeton.edu
Thu Oct 10 14:52:58 GMT 2002


Hmmm...having seen two follow-ups to a note I thought I'd sent, but which
doesn't appear to have been sent,  let me say this about that:

Sunday evening, our Network Systems people observed unusual activity
apparently coming from IP address 209.61.184.227 which is in the range
assigned to Rackspace.  The traffic was targeting Port 445 on numerous
campus hosts.  Network Systems blocked access, pending further action.
Rackspace was notified--and subsequently, when we began to get the "mystery
window" calls from the Windows 2000 people who had seen the poetry
window--Rackspace also was advised that it appeared the device at the IP in
question had been net sending the message.  There has been no response to
either report.

Port 445 is used by Active Directory.  There had been discussion earlier in
the year about making it inaccessible to traffic from outside the domain;
as a result of the Sunday-Monday incident, during which essentially all of
the non-dorm side Windows 2000 machines received the "poetry" window, the
block now is in place to prevent outside traffic coming in to 445.

In the note I thought I sent early this morning, I expressed gratitude that
the sender had used poetry and not something significantly more likely to
offend.  I also expressed gratitude that Network Systems is so effective in
monitoring traffic patterns and flow,  and in identifying anomalies of
concern and addressing them.

Except for the one incident described in what were to have been after-notes,
we've seen no recurrence since the block was implemented.

Rita Saltz
Policy and Security Advisor
Office of Information Technology (OIT)
Princeton University
rita at princeton.edu



More information about the unisog mailing list