Educause Security Discussion mailing list archives
Re: Question on increased scanning/compromise activity
From: Alex Campoe <campoe () USF EDU>
Date: Wed, 11 Sep 2002 11:15:26 -0400
A good site to check for ports being scanned worldwide is www.dshield.org. Check out http://www.dshield.org/port_report.php?port=445&Submit=Submit+Query for specifics on port 445 scans. Alex ------- J. Alex Campoe Associate Director, Systems, Academic Computing Data Security Manager University of South Florida Phone (813) 974-1796 # -----Original Message----- # From: The EDUCAUSE Security Discussion Group Listserv # [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Herbert Baines III # Sent: Wednesday, September 11, 2002 10:47 AM # To: SECURITY () LISTSERV EDUCAUSE EDU # Subject: [SECURITY] Question on increased scanning/compromise activity # # Since 8pm 9/6/2002 we have been experiencing a substantial increase the # number of external scans against GT systems (port 445). The scans are # identifying open Windows fileshares. The background investigation into a # sampling of known compromised systems does not yield forensic information # that shows a conclusive method of compromise. # # We have established that there are a number of compromised IRC # Windows-based servers, some of the IRC servers were created after Windows # systems were compromised using the (undefined) filesharing port exploit. # # Our decentralized Computer Support Representatives are noticing # compromised # systems scanning locally for potential exploits. # # Has anyone seen increased in-bound 445 scanning and increased out-bound # IRC # activity at their sites? # # # http://www.theregister.co.uk/content/4/27007.html # http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 # http://www.theregus.com/content/4/26226.html # http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21061 # http://www.theregister.co.uk/content/55/27036.html. # # Best regards, # # -Herb # Herbert Baines III, CISSP # Director, Georgia Tech Information Security # Georgia Institute of Technology # 258 4th Street # Atlanta, GA 30332 # http://www.security.gatech.edu/architecture # http://www.security.gatech.edu/policy/usage.html # herbert.baines () oit gatech edu # # ********** # Participation and subscription information for this EDUCAUSE Discussion # Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Question on increased scanning/compromise activity Herbert Baines III (Sep 11)
- <Possible follow-ups>
- Re: Question on increased scanning/compromise activity Alex Campoe (Sep 11)