Suspicious port scanning of spoolsv.exe on Windows server 2003 w/ Print server role

Question

Noticed today on one of the servers, that Event viewer/Security has lots of "Failure audit" messages like this:

enter image description here

The message repeats every second and the port number is increased by one the range of ports being from 1025 to 5000 and then over again. To me, such "port scanning" looks quite suspicious!

I've tried running TCPView to find out more details, but it only shows process, its ID and port. Is this by design for spoolsv.exe to act so? Or is this some sort of malware? Has anybody seen this before?

File server & Print server roles are installed on the server.

enter image description here

@GregAskew Oh, not very familiar with print monitors, but how/where can one check this quickly? — Volodymyr Molodets, Mar 18 '13 at 14:40
Ok, managed to find out printer monitors installed, but this tells me nothing so far. Does anything look suspicious to you? — Volodymyr Molodets, Mar 18 '13 at 14:48

score 1 · Accepted Answer · answered Mar 20 '13 at 13:17

Well, after default and non-default print monitors were defined, we've actually backed up all of them and then removed ALL non-standard print monitors with subsequent Print Spooler service restart. After that there were no more events in event viewer and so far we have not got any complaints from end users.

Here is the list of default print monitors:

BJ Language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor

Suspicious port scanning of spoolsv.exe on Windows server 2003 w/ Print server role

1 Answers1