Thanks for the replies from everyone. The scan/attack has stopped as of yesterday evening. I guess what I found interesting was the pattern it followed. To me, it almost looked like a DOS because of the source IPs and the format it followed. I discarded the idea of a scan as it wasn't done smartly. I had mulitple hits from the same IPs throughout the day, all aimed at a single IP on our network...which happens to be our incoming address for our exchange server. For anyone that was interested in this, I'll throw up a bit of my logs (IP's are faked below...when I did lookups on the IPs, it appeared the attacking address were probably compromised machines). I didn't ever get a packet capture while the attack happend, so I won't be able to see exactly what they were trying to do (malformed packets, etc...). Entire scan/attack lasted from 6:22am until 6:15pm CST on Jun 3. Recieved a block of requests (icmp, 445, nbname) about 4-5 times a minute. Probably 20 different addresses total. Dest. Port -> Source Addy -> Dest Addy -> Protocol -> Source Port 65.1.1.1 209.9.9.9 icmp 445 65.1.1.1 209.9.9.9 tcp 1111 nbname 65.1.1.1 209.9.9.9 udp nbname 67.1.1.1 209.9.9.9 icmp 445 67.1.1.1 209.9.9.9 tcp 1098 nbname 67.1.1.1 209.9.9.9 udp nbname -----Original Message----- From: Muhammad Faisal Rauf Danka [mailto:mfrdat_private] Sent: Tuesday, June 04, 2002 3:51 AM To: incidentsat_private Subject: Re: Port 445 increase? NetBIOS over TCP traditionally uses the following ports: nbname 137/UDP nbname 137/TCP nbdatagram 138/UDP nbsession 139/TCP Direct hosted "NetBIOS-less" SMB traffic uses the following port: MICROSOFT-DS 445/TCP MICROSOFT-DS 445/UDP Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about "NeBIOS-less" SMB traffic port too. This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065 but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- "Mike Hrubes" <MHrubesat_private> wrote: >Since around noon today (CST), we've really been getting hammered with tcp = >445. Interestingly, it appears to be a tool or worm doing the scanning. A= >ll requests seem to follow the same basic format of ICMP, then 445, followe= >d by nbname. The requests are coming from many many different IPs, but are= > all directed at a single box on our network. > >Just curious if anyone else out there is seeing anything like this? > >Thanks! > >MH > _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with emailat_private by Everyone.net http://www.everyone.net/?btn=tag ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 12:18:52 PDT