Security Incidents mailing list archives
Re: Port 445 increase?
From: "Eric Monti" <EMON44 () CBOT COM>
Date: Thu, 06 Jun 2002 14:46:47 -0500
TCP 445 is the Windows 2000 equivalent for what used to be port 139 in Windows NT. It is the new NetBIOS over TCP port or "nbsession". The fact that the scan (if thats what it is) also does an nbname lookup further reinforces the likelihood that either someone is looking for open shares or other holes via NBT, or that someone is actually accessing your Windows 2000 shares (warez repository?). If thats a Win2k system, turn on some auditing and see what is actually going on (to an extent... Win2k/NT logging leaves a lot to be desired) or throw up a sniffer that can decode NetBIOS over TCP. -EM
"Mike Hrubes" <MHrubes () wizmo com> 06/03/02 04:02PM >>>
Since around noon today (CST), we've really been getting hammered with tcp 445. Interestingly, it appears to be a tool or worm doing the scanning. All requests seem to follow the same basic format of ICMP, then 445, followed by nbname. The requests are coming from many many different IPs, but are all directed at a single box on our network. Just curious if anyone else out there is seeing anything like this? Thanks! MH ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 445 increase? Mike Hrubes (Jun 03)
- Re: Port 445 increase? Baribault, Gary (Jun 04)
- <Possible follow-ups>
- RE: Port 445 increase? Jim Harrison (SPG) (Jun 04)
- Re: Port 445 increase? Muhammad Faisal Rauf Danka (Jun 04)
- Re: Port 445 increase? Brian Collins (Jun 04)
- Re: Port 445 increase? Eric Monti (Jun 06)
- Re: Port 445 increase? Daniel Polombo (Jun 06)