Re: Worm activity

[Matt Kirchhoff <mek () pdx edu>]

Quoth Mark Bassett on 7/15/2005 10:49 PM:
> Adam Dyga wrote:
>
> > Hello,
> >
> > I run a network server. Firewall logs show that there are many worm
> > connection attempts mainly on ports 135 & 445. Is there any tool
> > (for Linux) that allows to collect information about the kind of
> > worms are trying to connect?
> >
> > Cheers, AD
>
> Typically a lot of viruses look to get in via NetBIOS (135-139 or so)
> and SSL (445).  Port 80 is also highly targeted.  I forget what port
> MS-SQL Server runs at, 

Just to correct/clarify:

TCP 139 & UDP 137: NetBIOS
TCP 135: RPC
TCP 445: SMB (SSL is 443)

SQL usually listens on TCP 1433.

--
mek () pdx edu