port 445 is also an attack vector for RPC-DCOM and 445 is only found on 2k/ xp / 2k3 as well. as a side note, ASP running on IIS links to dcom functions, and port 80 is also another vector. with the prevelance of the dcom exploit, i imagine the port 445 scan is a side affect of routine exploit fingerprinting from would-be attackers. Donnie Werner morning_wood@e2-labs.com http://e2-labs.com visit http://exploitlabs.com and http://nothackers.org/about.php ----- Original Message ----- From: "Incist" <incistat_private> To: "wirepair" <wirepairat_private>; <incidentsat_private> Sent: Friday, August 08, 2003 3:28 PM Subject: Re: port 445 probes continued > 445 is Microsoft's DS Port. Someone is looking for Microsoft Networking > services. Are they all WFWG or do you see different versions of lanman ? > Sal > > ----- Original Message ----- > From: "wirepair" <wirepairat_private> > To: <incidentsat_private> > > > Does anyone know preciesly what this beast is that keeps rattling my > doors. Upon further scans i've noticed a pattern increasing > > from my class B. > > Here is the data that i'm getting from a majority of hosts: > > 00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 |.......SMBr.....| > > 00000070 53 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |S...............| > > 00000080 ff fe 00 00 00 00 00 62 00 02 50 43 20 4e 45 54 |.......b..PC > NET| > > 00000090 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 |WORK PROGRAM > 1.0| > > 000000a0 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 02 57 69 6e > |..LANMAN1.0..Win| > > 000000b0 64 6f 77 73 20 66 6f 72 20 57 6f 72 6b 67 72 6f |dows for > Workgro| > > 000000c0 75 70 73 20 33 2e 31 61 00 02 4c 4d 31 2e 32 58 |ups > 3.1a..LM1.2X| > > 000000d0 30 30 32 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 02 > |002..LANMAN2.1..| > > 000000e0 4e 54 20 4c 4d 20 30 2e 31 32 00 |NT LM 0.12.| > > > ------------------------------------------------------------------------- -- > ------------------------------------------------------------------------- --- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 10:56:56 PDT