NetBIOS over TCP traditionally uses the following ports: nbname 137/UDP nbname 137/TCP nbdatagram 138/UDP nbsession 139/TCP Direct hosted "NetBIOS-less" SMB traffic uses the following port: MICROSOFT-DS 445/TCP MICROSOFT-DS 445/UDP Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about "NeBIOS-less" SMB traffic port too. This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065 but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- "Mike Hrubes" <MHrubesat_private> wrote: >Since around noon today (CST), we've really been getting hammered with tcp = >445. Interestingly, it appears to be a tool or worm doing the scanning. A= >ll requests seem to follow the same basic format of ICMP, then 445, followe= >d by nbname. The requests are coming from many many different IPs, but are= > all directed at a single box on our network. > >Just curious if anyone else out there is seeing anything like this? > >Thanks! > >MH > _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with emailat_private by Everyone.net http://www.everyone.net/?btn=tag ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 08:40:23 PDT