Security Incidents mailing list archives
RE: Port 445 increase? [UPDATE]
From: "Mike Hrubes" <MHrubes () wizmo com>
Date: Tue, 4 Jun 2002 12:20:35 -0500
Thanks for the replies from everyone. The scan/attack has stopped as of yesterday evening. I guess what I found
interesting was the pattern it followed. To me, it almost looked like a DOS because of the source IPs and the format
it followed. I discarded the idea of a scan as it wasn't done smartly. I had mulitple hits from the same IPs
throughout the day, all aimed at a single IP on our network...which happens to be our incoming address for our exchange
server.
For anyone that was interested in this, I'll throw up a bit of my logs (IP's are faked below...when I did lookups on
the IPs, it appeared the attacking address were probably compromised machines). I didn't ever get a packet capture
while the attack happend, so I won't be able to see exactly what they were trying to do (malformed packets, etc...).
Entire scan/attack lasted from 6:22am until 6:15pm CST on Jun 3. Recieved a block of requests (icmp, 445, nbname)
about 4-5 times a minute. Probably 20 different addresses total.
Dest. Port -> Source Addy -> Dest Addy -> Protocol -> Source Port
65.1.1.1 209.9.9.9 icmp
445 65.1.1.1 209.9.9.9 tcp 1111
nbname 65.1.1.1 209.9.9.9 udp nbname
67.1.1.1 209.9.9.9 icmp
445 67.1.1.1 209.9.9.9 tcp 1098
nbname 67.1.1.1 209.9.9.9 udp nbname
-----Original Message-----
From: Muhammad Faisal Rauf Danka [mailto:mfrd () attitudex com]
Sent: Tuesday, June 04, 2002 3:51 AM
To: incidents () securityfocus com
Subject: Re: Port 445 increase?
NetBIOS over TCP traditionally uses the following ports:
nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP
Direct hosted "NetBIOS-less" SMB traffic uses the following port:
MICROSOFT-DS 445/TCP
MICROSOFT-DS 445/UDP
Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about
"NeBIOS-less" SMB traffic port too.
This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065
but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares.
Regards,
---------
Muhammad Faisal Rauf Danka
Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org
Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
--- "Mike Hrubes" <MHrubes () wizmo com> wrote:
Since around noon today (CST), we've really been getting hammered with tcp = 445. Interestingly, it appears to be a tool or worm doing the scanning. A= ll requests seem to follow the same basic format of ICMP, then 445, followe= d by nbname. The requests are coming from many many different IPs, but are= all directed at a single box on our network. Just curious if anyone else out there is seeing anything like this? Thanks! MH
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net http://www.everyone.net/?btn=tag ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Port 445 increase? [UPDATE] Mike Hrubes (Jun 04)