Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps of various subnets 5-10 times a day. This started around two weeks ago... they appear to be looking for open \\<netbios-name>\C shares. My guess is that there looking for machines previously infected with Nimda, but I could be wrong. It shows up as "NETBIOS SMB C access" under snort, and "Tree Connect AndX Request" when the tpcdump is viewed with ethereal. -- Nathan W. Labadie | ab0781at_private Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.1338 fax C&IT Information Security Office: http://security.wayne.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 14:26:46 PST