RE: TCP 445 Scan?

From: Lee_Fisherat_private
Date: Tue Mar 04 2003 - 09:10:51 PST

  • Next message: kyleat_private: "RE: TCP 445 Scan?"

    I have seen a few forums discuss an increase in TCP port 445 scans.
    
    Similar nature/profile to your message below.
    
    LANMAN service listens on this port.
    
    This *may* be related ?  http://www.kb.cert.org/vuls/id/693099
    
    Lee Fisher
    McAfee Security
    
    -----Original Message-----
    From: Charles Hamby [mailto:fixerat_private]
    Sent: 27 February 2003 18:25
    To: incidentsat_private
    Subject: TCP 445 Scan?
    
    
    
    
    Morning/Afternoon All,
    
    Has anyone else recently been pegged with a large number of distributed 
    TCP 445 scans over a short amount of time (within a few minutes)?  A 
    couple of days ago I was hit by roughly 60+ scans in a short amount of 
    time; when I waded through it it wound up being about 45 unique IP address 
    all looking for TCP 445.  Below is an excerpt from my fireall log 
    (Netscreen).  Has anyone else been seeing these sorts of scans lately?  
    I've only seen the one scan, so I haven't had a chance to capture any more 
    traffic.
    
    -CDH
    
    
    2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z 	  0 sec TCP PORT 445
    2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z 	  0 sec TCP PORT 445
    2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z 	  0 sec TCP PORT 445
    2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
    2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
    2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z 	  0 sec TCP PORT 445
    2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
    2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
    2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z 	  0 sec TCP PORT 445
    2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445
    2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure">
    http://www.securityfocus.com/stillsecure </A>
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 11:27:19 PST