Security Incidents mailing list archives
Re: New CIFS (port 445) worm?
From: Zen <zen () kill-9 it>
Date: Tue, 17 Dec 2002 19:03:38 +0100
On Tue, Dec 17, 2002 at 08:30:13AM -0800, David Gillett wrote:
We're seeing a huge increase of tcp/445 scans on our networks
too. For the moment, I just opened the port on my firewall to
permit them through to a machine running tcpdump to capture all
that's possible, to do further investigation.
My assumption, at this point, is that those two machines (and a bunch more out on the Internet) have been infected with something. The choice of port 445 suggests Win 2000/XP file shares as the infection vector.
I agree. I hope you've not wiped out the machines, as it would
be interesting to see what, and how, is acting so to reproduce
it and check by ourselves.
bye,
--
My home isn't cluttered; it's "passage restrictive."
zen () kill-9 it . Geek . And proud of it .
http://www.kill-9.it/jargon/html/entry/zen.html
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Mike Katz (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)
- Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Message not available
- Re: Rooted, .haos on system Julian Young (Dec 17)
- New CIFS (port 445) worm? David Gillett (Dec 17)
- Re: New CIFS (port 445) worm? Zen (Dec 17)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)