increase in smb scans

From: Nathan W. Labadie (ab0781at_private)
Date: Fri Mar 08 2002 - 06:06:37 PST

Next message: Matt Zimmerman: "sshd: PAM pam_set_item: NULL pam handle passed"

Previous message: sheib: "Stray UDP activity?"
Next in thread: Lee Ayres: "increase in smb scans"
Reply: Lee Ayres: "increase in smb scans"
Reply: Hugo van der Kooij: "Re: increase in smb scans"
Reply: Nathan W. Labadie: "Re: increase in smb scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps 
of various subnets 5-10 times a day. This started around two weeks ago... 
they appear to be looking for open \\<netbios-name>\C shares. My guess is 
that there looking for machines previously infected with Nimda, but I 
could be wrong. It shows up as "NETBIOS SMB C access" under snort, and 
"Tree Connect AndX Request" when the tpcdump is viewed with ethereal. 

-- 
Nathan W. Labadie       | ab0781at_private	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Matt Zimmerman: "sshd: PAM pam_set_item: NULL pam handle passed"
Previous message: sheib: "Stray UDP activity?"
Next in thread: Lee Ayres: "increase in smb scans"
Reply: Lee Ayres: "increase in smb scans"
Reply: Hugo van der Kooij: "Re: increase in smb scans"
Reply: Nathan W. Labadie: "Re: increase in smb scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 14:26:46 PST