SANS Newsbites SANS NewsBites Vol. 4 Num. 10 opens with the following paragraph. "Hackers are currently scanning the entire Internet looking for Windows systems with unprotected shares. They have found thousands or perhaps tens of thousands of vulnerable systems and installed remote-control bots on those systems. If you have not checked your systems and your family's systems for open shares, now would be a very good time to find them and protect them." I can confirm that I have seen what looks like a steep increase in these scans as well. Nathan W. Labadie writes: > Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps > of various subnets 5-10 times a day. This started around two weeks ago... > they appear to be looking for open \\<netbios-name>\C shares. My guess is > that there looking for machines previously infected with Nimda, but I > could be wrong. It shows up as "NETBIOS SMB C access" under snort, and > "Tree Connect AndX Request" when the tpcdump is viewed with ethereal. > > -- > Nathan W. Labadie | ab0781at_private > Sr. Security Specialist | 313/577.2126 > Wayne State University | 313/577.1338 fax > C&IT Information Security Office: http://security.wayne.edu > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Lee Ayres <ayres@i-dep.com> Systems Security Administrator I-DEP, LLC phone number (312 738 0740) fax number (312 738 0748) www.i-dep.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 10 2002 - 17:00:13 PST