Ok so I have a Windows server that is doing some bizarre
stuff. My first thought is some sort of worm/virus but nothing
detects anything. What is happening is let’s say I am on the
server and do an FTP command. If I monitor my firewall it reports
that Service tcp_Ftp is active but operating on source port 1585.
If I try and do an http request from a browser it says Service tcp_http
is active but source port is reported as 1562. It is picking random
ports to perform the operation. Also I see sequential scans for ports
via UDP port 1434, which has been associated with SQL Slammer in the past.
As I said though, no virus scanner detects anything. I would say it is a
corrupt IP stack or something except that the web server that runs on it
functions as normal. WTH?
This is an older W2k SP4 server that is not internet facing.