Anyone seen this type of activity?:
On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs. All the external addresses examined were foreign (mostly Brazil and Argentina, but also included Columbia, Germany, Indonesia, China, et. al.). It appears to have scanned the same IP list twice, with a couple of the IPs only appearing once in each scan (possibly due to dropped traffic on the sensor). Scans took place at 17:56 and again at 18:10. It's unclear if there were any returns on the scans. I could find no other appearances of the inside or outside IPs setting off any other alerts in the data that I have. Most of the IP addresses I looked at appeared to be customer addys from ISPs.
On 12/3, the system's admin was contacted, who claimed to run a full-virus scan and found nothing.
On 12/4, the same system performed the same type of scan against 11 more systems. Again, all were foreign (Mostly Brazil, a couple German, and Venezuela) -- but not a single one was a duplicate from the first scan, nor were they even within the same networks.
Because of the kludgy portscan reporting of Snort, I cannot accurately tell which ports are being targeted. The sensor's been up/down over the last month (I was out of town) so there could have been more events...
Ideas? (My favorite answer so far is a worm...but none detected by Symantec -- assuming the admin *did* do a scan... ;0)