Re: port 445 probes continued

From: morning_wood (se_cur_ityat_private)
Date: Fri Aug 08 2003 - 17:25:35 PDT

Next message: oherrera: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"

Previous message: morning_wood: "Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?"
In reply to: Incist: "Re: port 445 probes continued"
Next in thread: Roberts, Chris: "RE: port 445 probes continued"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

port 445 is also an attack vector for RPC-DCOM and 445 is only found on 2k/
xp / 2k3 as well.
as a side note, ASP running on IIS links to dcom functions, and port 80 is
also another vector.
with the prevelance of the dcom exploit, i imagine the port 445 scan is a
side affect of routine exploit fingerprinting from would-be attackers.

Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com

visit http://exploitlabs.com and http://nothackers.org/about.php



----- Original Message ----- 
From: "Incist" <incistat_private>
To: "wirepair" <wirepairat_private>; <incidentsat_private>
Sent: Friday, August 08, 2003 3:28 PM
Subject: Re: port 445 probes continued


> 445 is Microsoft's DS Port.  Someone is looking for Microsoft Networking
> services.  Are they all WFWG or do you see different versions of lanman ?
> Sal
>
> ----- Original Message -----
> From: "wirepair" <wirepairat_private>
> To: <incidentsat_private>
>
> > Does anyone know preciesly what this beast is that keeps rattling my
> doors. Upon further scans i've noticed a pattern increasing
> > from my class B.
> > Here is the data that i'm getting from a majority of hosts:
> >           00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 |.......SMBr.....|
> > 00000070 53 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> |S...............|
> > 00000080 ff fe 00 00 00 00 00 62 00 02 50 43 20 4e 45 54 |.......b..PC
> NET|
> > 00000090 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 |WORK PROGRAM
> 1.0|
> > 000000a0 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 02 57 69 6e
> |..LANMAN1.0..Win|
> > 000000b0 64 6f 77 73 20 66 6f 72 20 57 6f 72 6b 67 72 6f |dows for
> Workgro|
> > 000000c0 75 70 73 20 33 2e 31 61 00 02 4c 4d 31 2e 32 58 |ups
> 3.1a..LM1.2X|
> > 000000d0 30 30 32 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 02
> |002..LANMAN2.1..|
> > 000000e0 4e 54 20 4c 4d 20 30 2e 31 32 00 |NT LM 0.12.|
>
>
> -------------------------------------------------------------------------
--
> -------------------------------------------------------------------------
---
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: oherrera: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"
Previous message: morning_wood: "Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?"
In reply to: Incist: "Re: port 445 probes continued"
Next in thread: Roberts, Chris: "RE: port 445 probes continued"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 10:56:56 PDT