Identify Malicious Activity
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use this procedure when you want to confirm that malicious activity is occurring within your network. This procedure is useful if you suspect such activity is taking place and you want to identify the targets of the attacks.
No special administrative credentials are required to perform this task.
No special considerations are required to perform this task.
To identify malicious activity
|Broadcast packets have destination IP addresses that end in 255. Disregard those packets when you search the Windows Firewall log file for malicious activity.|
With the Windows Firewall log file open in Notepad, scroll through the file from beginning to end.
Look at each log entry with DROP in the action field and note whether the destination IP address (dstip) ends with a number other than 255.
If you find many such entries, take note of the destination IP addresses of the packets.
If those destination IP addresses are all the same, similar, or systematic, write down the source IP addresses (srcip) and the destination IP addresses. These dropped packets can be considered suspicious. Suspicious dropped packets often have systematic port hit entries as well.