RE: large scale distributed scan of port tcp 445

From: Rick Darsey (rdarseyat_private)
Date: Fri Aug 09 2002 - 12:56:42 PDT

  • Next message: H C: "RE: large scale distributed scan of port tcp 445"

    A Google search turned this up
    
    "Sending malformed packets to the Microsoft-ds port [TCP 445] can result in
    kernel resources being allocated by the Lanman service," said KPMG. "The
    consequences of such an attack could vary from the Windows 2000 host
    completely ignoring the attack, to a blue screen"
    
    
    Here is the link to the site
    http://www.vnunet.com/News/1131065
    
    From what I read, this is a DoS attack, and from the logs you sent, I would
    say someone is probably trying to create a worm to exploit this, particuarly
    looking at the fact that you got about 100 hits.  Maybe the script kiddie is
    trying to get his script de-bugged.
    
    Rick Darsey
    MCSA (Win2K), Network +, SCO ACE
    
    -----Original Message-----
    From: Jim Harrison (SPG) [mailto:jmharrat_private]
    Sent: Friday, August 09, 2002 1:50 PM
    To: Thomas Cannon; Rob Keown
    Cc: Russell Fulton; incidentsat_private
    Subject: RE: large scale distributed scan of port tcp 445
    
    
    Any W2K or later OS from Microsoft (except maybe .NET server) installs
    with that port open.
    It's not specific to XP.  It was added to W2K as a NetBIOS -135/139
    replacement.
    
    * Jim Harrison
    MCP(NT4/2K), A+, Network+
    Services Platform Division
    
    The burden of proof is not satisfied by a lack of evidence to the
    contrary..
    
    
    
    -----Original Message-----
    From: Thomas Cannon [mailto:tcannonat_private]
    Sent: Friday, August 09, 2002 9:54 AM
    To: Rob Keown
    Cc: 'Russell Fulton'; incidentsat_private
    Subject: RE: large scale distributed scan of port tcp 445
    
    
    On Thu, 8 Aug 2002, Rob Keown wrote:
    
    > That is MS-DS as I recall. I don't see anything in my logs but dshield
    
    > has the port with a huge spike of targets, with low sources on 7/28.
    > http://isc.incidents.org/port_details.html?port=445 It was ranked 4th
    > on that day.
    >
    > Cannot recall any exploits on this port or service.
    >
    > Anyone know of any exploits on this?
    
    
    I didn't know any, but this might be something to consider, if nothing
    else:
    
    http://www.sygate.com/alerts/XP_default_TCP445_open.htm
    
    
    Cheers,
    
    -tcannon
    
    
    >
    > Rob Keown
    >
    >
    >
    > ----------------------------------------------------------------------
    > ------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    "No brain, no headache"
    
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 13:30:27 PDT