Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: large scale distributed scan of port tcp 445

From: "Rick Darsey" <rdarsey () aims1 com>
Date: Fri, 9 Aug 2002 14:56:42 -0500


A Google search turned this up

"Sending malformed packets to the Microsoft-ds port [TCP 445] can result in
kernel resources being allocated by the Lanman service," said KPMG. "The
consequences of such an attack could vary from the Windows 2000 host
completely ignoring the attack, to a blue screen"


Here is the link to the site
http://www.vnunet.com/News/1131065


From what I read, this is a DoS attack, and from the logs you sent, I would

say someone is probably trying to create a worm to exploit this, particuarly
looking at the fact that you got about 100 hits.  Maybe the script kiddie is
trying to get his script de-bugged.

Rick Darsey
MCSA (Win2K), Network +, SCO ACE

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr () microsoft com]
Sent: Friday, August 09, 2002 1:50 PM
To: Thomas Cannon; Rob Keown
Cc: Russell Fulton; incidents () securityfocus com
Subject: RE: large scale distributed scan of port tcp 445


Any W2K or later OS from Microsoft (except maybe .NET server) installs
with that port open.
It's not specific to XP.  It was added to W2K as a NetBIOS -135/139
replacement.

* Jim Harrison
MCP(NT4/2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..



-----Original Message-----
From: Thomas Cannon [mailto:tcannon () noops org]
Sent: Friday, August 09, 2002 9:54 AM
To: Rob Keown
Cc: 'Russell Fulton'; incidents () securityfocus com
Subject: RE: large scale distributed scan of port tcp 445


On Thu, 8 Aug 2002, Rob Keown wrote:


That is MS-DS as I recall. I don't see anything in my logs but dshield



has the port with a huge spike of targets, with low sources on 7/28.
http://isc.incidents.org/port_details.html?port=445 It was ranked 4th
on that day.

Cannot recall any exploits on this port or service.

Anyone know of any exploits on this?



I didn't know any, but this might be something to consider, if nothing
else:

http://www.sygate.com/alerts/XP_default_TCP445_open.htm


Cheers,

-tcannon




Rob Keown



----------------------------------------------------------------------
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



"No brain, no headache"


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: