Events with this classification type identify a system that was likely performing activities on a monitored device(s) or network range(s). Such events are usually triggered by excessive scanning, the definition of excessive varies widely depending on the service or system that is being scanned, and to which organization it belongs.
Scanning is commonly associated with criminal groups collecting information of existing infrastructure, i.e. identifying system addresses, operation system with version and configuration, services with version and configuration. Such information can be used to create a target list for a future compromise attempt.
Security researchers and other organizations also perform scanning to discover such vulnerabilities. But instead of abusing this information, they share it with trusted organizations to inform the device owner, to help fixing the vulnerability before the criminals can abuse it. In rare cases scanning can also be attributed to a curious individual using such tools.
Most tools used for scanning are non intrusive, meaning the perform a normal request as any normal client would to check whether a certain vulnerability or service is present or not, e.g. like knocking on the door. This type of scans are usually performed by security researchers.
But there are also intrusive scans which actually perform the malicious action the system or service could be vulnerable for. Such scans can have side effects that depend on the vulnerability and the intent of the actor performing the scan, e.g. like trying to open the lock with the screwdriver. These can range from creating a pop up "I'm vulnerable" or printing a page "please fix me" to loosing the database.
The system identified by
source was most likely the system performing scanning activities. It is possible that the user of the system performed these activities, but it is also possible that malicious software on the the system performed the scan. The system should be regarded as compromised, until further investigation has proven otherwise.
- Please handle the incident according to your policies and guidelines.
- Change the access credentials of potentially affected users.
- Scan the system for malicious software
- Check the logs for suspicious activity.