Re: TCP 445 Scan?

From: Adam Bultman (adambat_private)
Date: Tue Mar 04 2003 - 07:37:16 PST

Next message: jlewisat_private: "Re: Spammers?"

Previous message: bugtraqat_private: "Re: Interesting"
Next in thread: H C: "Re: TCP 445 Scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been getting those for some time. While I can't say I've got the same 
deluge of scans you've gotten, I block quite a few people every day for 
scanning me on those ports.  I use portsentry and ipchains/iptables.  I 
have also noticed a tremendous increase in the amount of 'standard 
service' scanning in the past two weeks.  

On Thu, 27 Feb 2003, Charles Hamby wrote:

> 
> 
> Morning/Afternoon All,
> 
> Has anyone else recently been pegged with a large number of distributed 
> TCP 445 scans over a short amount of time (within a few minutes)?  A 
> couple of days ago I was hit by roughly 60+ scans in a short amount of 
> time; when I waded through it it wound up being about 45 unique IP address 
> all looking for TCP 445.  Below is an excerpt from my fireall log 
> (Netscreen).  Has anyone else been seeing these sorts of scans lately?  
> I've only seen the one scan, so I haven't had a chance to capture any more 
> traffic.
> 
> -CDH
> 
> 
> 2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z 	  0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z 	  0 sec TCP PORT 445
> 2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z 	  0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z 	  0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z 	  0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
> 
> ----------------------------------------------------------------------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
> 
> 

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: jlewisat_private: "Re: Spammers?"
Previous message: bugtraqat_private: "Re: Interesting"
Next in thread: H C: "Re: TCP 445 Scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 09:54:05 PST