Re: Port 445 increase?

From: Muhammad Faisal Rauf Danka (mfrdat_private)
Date: Tue Jun 04 2002 - 01:50:31 PDT

Next message: Abhi: "Re: scanning from WANADOO-CABLE-BD"

Previous message: Pieter-Bas IJdens: "Re: scanning from WANADOO-CABLE-BD"
Maybe in reply to: Mike Hrubes: "Port 445 increase?"
Next in thread: Brian Collins: "Re: Port 445 increase?"
Reply: Brian Collins: "Re: Port 445 increase?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NetBIOS over TCP traditionally uses the following ports:

nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP

Direct hosted "NetBIOS-less" SMB traffic uses the following port:

MICROSOFT-DS 445/TCP
MICROSOFT-DS 445/UDP

Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about "NeBIOS-less" SMB traffic port too.

This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065
but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares.

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Mike Hrubes" <MHrubesat_private> wrote:
>Since around noon today (CST), we've really been getting hammered with tcp =
>445.  Interestingly, it appears to be a tool or worm doing the scanning.  A=
>ll requests seem to follow the same basic format of ICMP, then 445, followe=
>d by nbname.  The requests are coming from many many different IPs, but are=
> all directed at a single box on our network.
>
>Just curious if anyone else out there is seeing anything like this?
>
>Thanks!
>
>MH
>

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with emailat_private by Everyone.net  http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Abhi: "Re: scanning from WANADOO-CABLE-BD"
Previous message: Pieter-Bas IJdens: "Re: scanning from WANADOO-CABLE-BD"
Maybe in reply to: Mike Hrubes: "Port 445 increase?"
Next in thread: Brian Collins: "Re: Port 445 increase?"
Reply: Brian Collins: "Re: Port 445 increase?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 08:40:23 PDT