Charles, Go out to Google and search on "port 445" and also "RFC 1568". RFC 1568 explains port 445 and when you search on port 445, the Internet Storm Center and Dshield have logged the DoS info using this port. It looks like you are not alone. Also copy this link and check out the article http://www.vnunet.com/News/1131065 and its links to Microsoft for more information. Regards, Tom Staskiewicz Information Security Officer First Consumers National Bank ' 503.520.7947 "Security is Everyone's Responsibility" [------------ Know Your Responsibility ------------] The information contained in this E-mail message and its attachments, if any, may be privileged, confidential and protected from disclosure. This information is the property of First Consumers National Bank. If you are not the intended recipient, any disclosure, copying, distribution, reading, or the taking of any action in reliance on or in response to this information (except as specifically permitted in this notice) is strictly prohibited. If you have received this transmission and you are not a named recipient or a person authorized to receive email and email attachments on behalf of a named recipient, or if you think you have received this E-mail message in error, please E-mail the sender at Tom_Staskiewiczat_private Charles Hamby <fixerat_private To: incidentsat_private t> cc: Subject: TCP 445 Scan? 02/27/03 10:25 AM Morning/Afternoon All, Has anyone else recently been pegged with a large number of distributed TCP 445 scans over a short amount of time (within a few minutes)? A couple of days ago I was hit by roughly 60+ scans in a short amount of time; when I waded through it it wound up being about 45 unique IP address all looking for TCP 445. Below is an excerpt from my fireall log (Netscreen). Has anyone else been seeing these sorts of scans lately? I've only seen the one scan, so I haven't had a chance to capture any more traffic. -CDH 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> This email has been systematically scanned for conditions that may present business risks. If this is unsolicited third party email, please forward it to stopspamat_private ************************************************************************** ** This email and any files transmitted with it are confidential and ** intended solely for the use of the individual or entity to whom they ** are addressed. ** ** This footnote also confirms that this email message has been swept ** by MIMEsweeper for the presence of computer viruses. ** ** System Administrator ** postmasterat_private ** ************************************************************************** ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 11:07:00 PST