TCP 445 is the Windows 2000 equivalent for what used to be port 139 in Windows NT. It is the new NetBIOS over TCP port or "nbsession". The fact that the scan (if thats what it is) also does an nbname lookup further reinforces the likelihood that either someone is looking for open shares or other holes via NBT, or that someone is actually accessing your Windows 2000 shares (warez repository?). If thats a Win2k system, turn on some auditing and see what is actually going on (to an extent... Win2k/NT logging leaves a lot to be desired) or throw up a sniffer that can decode NetBIOS over TCP. -EM >>> "Mike Hrubes" <MHrubesat_private> 06/03/02 04:02PM >>> Since around noon today (CST), we've really been getting hammered with tcp 445. Interestingly, it appears to be a tool or worm doing the scanning. All requests seem to follow the same basic format of ICMP, then 445, followed by nbname. The requests are coming from many many different IPs, but are all directed at a single box on our network. Just curious if anyone else out there is seeing anything like this? Thanks! MH ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 13:04:50 PDT