On Tue, Dec 17, 2002 at 08:30:13AM -0800, David Gillett wrote: We're seeing a huge increase of tcp/445 scans on our networks too. For the moment, I just opened the port on my firewall to permit them through to a machine running tcpdump to capture all that's possible, to do further investigation. > My assumption, at this point, is that those two machines > (and a bunch more out on the Internet) have been infected > with something. The choice of port 445 suggests Win 2000/XP > file shares as the infection vector. I agree. I hope you've not wiped out the machines, as it would be interesting to see what, and how, is acting so to reproduce it and check by ourselves. bye, -- My home isn't cluttered; it's "passage restrictive." zen@kill-9.it . Geek . And proud of it . http://www.kill-9.it/jargon/html/entry/zen.html ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:26:22 PST