Something else that I've also noticed: The attacks seem to be somewhat coordinated. Within a 15 minute period, four different hosts all scanned a /24. Out of two /16's, we have three or four subnets that get scanned on a semi-regular basis (as opposed to the other couple hundred). I've attached the logs from one of the subnets. Any idea what tool they're using? On Friday 08 March 2002 09:06 am, Nathan W. Labadie wrote: > Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing > sweeps of various subnets 5-10 times a day. This started around two > weeks ago... they appear to be looking for open \\<netbios-name>\C > shares. My guess is that there looking for machines previously > infected with Nimda, but I could be wrong. It shows up as "NETBIOS > SMB C access" under snort, and "Tree Connect AndX Request" when the > tpcdump is viewed with ethereal. -- Nathan W. Labadie | ab0781at_private Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.1338 fax C&IT Information Security Office: http://security.wayne.edu
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 09:31:23 PST