Overnight, I logged 13 connection attempts from random Internet addresses to my machine. 10 of them were to port 445, which is up significantly from a week ago. I'm also seeing lots of probes of this port at other network points. Yesterday I also had to disconnect two ports on our network because the machines on those ports were probing random Internet addresses on this port -- fast enough that one of our core routers was choking. My assumption, at this point, is that those two machines (and a bunch more out on the Internet) have been infected with something. The choice of port 445 suggests Win 2000/XP file shares as the infection vector. Anybody got more information? David Gillett ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:28:02 PST