We've been seeing increased activity from Randex.D worm infections, which generated similar types of scan patterns: http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html -----Original Message----- From: wirepair [mailto:wirepairat_private] Sent: 08 August 2003 21:10 To: incidentsat_private Subject: port 445 probes continued Does anyone know preciesly what this beast is that keeps rattling my doors. Upon further scans i've noticed a pattern increasing from my class B. Here is the data that i'm getting from a majority of hosts: 00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 |.......SMBr.....| 00000070 53 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |S...............| 00000080 ff fe 00 00 00 00 00 62 00 02 50 43 20 4e 45 54 |.......b..PC NET| 00000090 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 |WORK PROGRAM 1.0| 000000a0 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 02 57 69 6e |..LANMAN1.0..Win| 000000b0 64 6f 77 73 20 66 6f 72 20 57 6f 72 6b 67 72 6f |dows for Workgro| 000000c0 75 70 73 20 33 2e 31 61 00 02 4c 4d 31 2e 32 58 |ups 3.1a..LM1.2X| 000000d0 30 30 32 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 02 |002..LANMAN2.1..| 000000e0 4e 54 20 4c 4d 20 30 2e 31 32 00 |NT LM 0.12.| (this was taken from a custom program) I've recieved about 110 probes in the past 24 hours. all with roughly the same first packet. -wire -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 11:08:21 PDT