Numerous TCP port 445 scans on 3/2/03

From: Kevin Patz (jambo_catat_private)
Date: Mon Mar 03 2003 - 06:26:20 PST

Next message: bugtraqat_private: "Re: Interesting"

Previous message: m0use: "RE: www.nopop.net"
Next in thread: Patrick Webster: "RE: Numerous TCP port 445 scans on 3/2/03"
Reply: Patrick Webster: "RE: Numerous TCP port 445 scans on 3/2/03"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) While going through my logs I came across a series of scans on TCP port 445 that took place on 3/2 between 14:54 and 15:23 EST (GMT-5), from 42 different IP addresses. Though I routinely see scans on 445 (W2K SMB), I've never seen a surge of them like this before. They would come in about 2-3 per minute on average. Outside this time frame 445 scans are at a more average level, one or two per hour or so. Here's a summary of the scans I picked up. None of these IPs have scanned me in the past. 3/2/2003 14:54:01 217.16.226.85 2007 3/2/2003 14:54:30 211.91.237.32 4145 3/2/2003 14:54:32 61.98.45.190 3087 3/2/2003 14:55:20 61.171.26.146 4899 3/2/2003 14:55:30 212.175.192.194 1647 3/2/2003 14:56:04 61.56.207.59 2126 3/2/2003 14:56:31 61.111.104.66 3188 3/2/2003 14:57:07 24.192.214.78 3572 CPE00022ab84e9e-CM000039ebb45f.cpe.net.cable.rogers.com 3/2/2003 14:58:19 61.217.129.99 2184 61-217-129- 99.HINET-IP.hinet.net 3/2/2003 14:59:04 211.58.135.47 2474 3/2/2003 15:00:30 61.84.57.40 4252 3/2/2003 15:00:39 218.239.1.64 3759 3/2/2003 15:00:43 61.254.195.42 3993 3/2/2003 15:03:26 12.239.55.113 3582 12-239-55- 113.client.attbi.com 3/2/2003 15:04:18 61.171.145.192 2103 3/2/2003 15:04:29 24.114.117.113 1526 CPE0010a4ef6500-CM014480111719.cpe.net.cable.rogers.com 3/2/2003 15:06:03 217.56.35.66 1739 host66- 35.pool21756.interbusiness.it 3/2/2003 15:06:47 64.165.228.139 3226 adsl-64-165- 228-139.dsl.lsan03.pacbell.net 3/2/2003 15:07:47 61.216.62.112 3985 61-216-62- 112.HINET-IP.hinet.net 3/2/2003 15:07:54 220.77.143.247 3756 3/2/2003 15:09:30 68.117.158.152 4727 3/2/2003 15:09:37 61.248.172.159 2902 3/2/2003 15:11:11 61.192.79.4 2562 zaq3dc04f04.zaq.ne.jp 3/2/2003 15:13:35 218.121.210.88 2866 YahooBB218121210088.bbtec.net 3/2/2003 15:14:05 61.248.147.4 3443 3/2/2003 15:14:37 217.44.68.203 2025 host217-44-68- 203.range217-44.btcentralplus.com 3/2/2003 15:14:50 217.23.95.75 4894 3/2/2003 15:15:17 68.65.225.115 2321 ca-stmnca- cuda2-blade8a-115.stmnca.adelphia.net 3/2/2003 15:16:18 61.84.72.141 2185 3/2/2003 15:16:20 206.31.97.102 4958 206-31-97- 102.jc-dialup.midamerica.net 3/2/2003 15:16:28 211.108.47.187 1831 3/2/2003 15:17:01 61.41.43.190 4430 3/2/2003 15:17:30 64.208.190.218 3193 3/2/2003 15:17:44 212.235.17.36 4854 3/2/2003 15:18:20 68.80.178.223 3641 pcp01389697pcs.walngs01.pa.comcast.net 3/2/2003 15:18:52 61.104.139.12 3837 3/2/2003 15:20:18 12.237.247.152 2689 12-237-247- 152.client.attbi.com 3/2/2003 15:20:33 68.55.47.114 1918 pcp02563395pcs.owngsm01.md.comcast.net 3/2/2003 15:20:48 218.48.66.142 2181 3/2/2003 15:21:00 219.110.53.70 4663 h219-110-053- 070.catv01.itscom.jp 3/2/2003 15:21:23 211.208.84.85 1464 3/2/2003 15:23:21 61.42.98.26 1096 ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: bugtraqat_private: "Re: Interesting"
Previous message: m0use: "RE: www.nopop.net"
Next in thread: Patrick Webster: "RE: Numerous TCP port 445 scans on 3/2/03"
Reply: Patrick Webster: "RE: Numerous TCP port 445 scans on 3/2/03"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 08:41:22 PST