Security Incidents mailing list archives
RE: TCP 445 Scan?
From: Charles Hamby <fixer () gci net>
Date: Tue, 04 Mar 2003 10:22:50 -0900
Simple curiosity more than anything. This amount of activity over such a short amount of time is highly unusual and I was curious if others were encountering the same thing or if there was a particular script kiddie tool that could be associated with this pattern of activity. -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Tuesday, March 04, 2003 7:00 AM To: incidents () securityfocus com Subject: Re: TCP 445 Scan? Just out of curiosity, if the SYN packets are denied...why bother? I'm not asking to be a jerk or anything, I'm simply asking b/c our mindset is that if it's blocked, we have other, more important things that require our attention, so we ignore it. --- Charles Hamby <fixer () gci net> wrote:
Morning/Afternoon All, Has anyone else recently been pegged with a large number of distributed TCP 445 scans over a short amount of time (within a few minutes)? A couple of days ago I was hit by roughly 60+ scans in a short amount of time; when I waded through it it wound up being about 45 unique IP address all looking for TCP 445. Below is an excerpt from my fireall log (Netscreen). Has anyone else been seeing these sorts of scans lately? I've only seen the one scan, so I haven't had a chance to capture any more traffic. -CDH 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
------------------------------------------------------------------------ ----
<Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- TCP 445 Scan? Charles Hamby (Mar 04)
- Re: TCP 445 Scan? Adam Bultman (Mar 04)
- Re: TCP 445 Scan? H C (Mar 04)
- RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- RE: TCP 445 Scan? kyle (Mar 05)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- RE: TCP 445 Scan? kyle (Mar 06)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- <Possible follow-ups>
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
- SV: TCP 445 Scan? Peter Kruse (Mar 05)
- RE: TCP 445 Scan? Lee_Fisher (Mar 04)
(Thread continues...)