Hey Guys,

I have discovered traffic originating from a MS XP system, which is slowly conducting an UDP scan against my Active Directory Server. All of the traffic is inititated from port 42424. I had the user run a McAfee antivirus scan, with negative results returned to my consolidation server.

Now, I know that MS .NET service runs on port 42424, but I would not expect for the MS .NET service to initiate scans from this port, listening yes, scanning no.

Anyways, I have Googled and searched for the port number in Sophos and came up empty. My initial thought is a possible trojan on the XP system, but before I waste too much time on this I wanted to pool AO and see if anyone here has encountered or is encountering a similar situation where the traffic is legit.

Thanks in advance everyone.