Security Incidents mailing list archives

New CIFS (port 445) worm?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 17 Dec 2002 08:30:13 -0800

  Overnight, I logged 13 connection attempts from random
Internet addresses to my machine.  10 of them were to
port 445, which is up significantly from a week ago.
  I'm also seeing lots of probes of this port at other
network points.

  Yesterday I also had to disconnect two ports on our
network because the machines on those ports were probing
random Internet addresses on this port -- fast enough 
that one of our core routers was choking.

  My assumption, at this point, is that those two machines
(and a bunch more out on the Internet) have been infected 
with something.  The choice of port 445 suggests Win 2000/XP
file shares as the infection vector.

  Anybody got more information?

David Gillett




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
  - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Re: Rooted, .haos on system Mike Katz (Dec 16)
    - Re: Rooted, .haos on system zeno (Dec 16)
    - Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
    - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Message not available
    - Re: Rooted, .haos on system Julian Young (Dec 17)
    - New CIFS (port 445) worm? David Gillett (Dec 17)
    - Re: New CIFS (port 445) worm? Zen (Dec 17)
  - Re[2]: Rooted, .haos on system Oliver.C.Rochford CFH (Dec 17)
- Re: Rooted, .haos on system Mattias Hedenskog (Dec 16)
  - Re: Rooted, .haos on system zeno (Dec 16)