increase in smb scans

[Lee Ayres <ayres () i-dep com>]

SANS Newsbites SANS NewsBites Vol. 4 Num. 10 opens with the following
paragraph.

"Hackers are currently scanning the entire Internet looking for Windows
systems with unprotected shares. They have found thousands or perhaps
tens of thousands of vulnerable systems and installed remote-control
bots on those systems.  If you have not checked your systems and your
family's systems for open shares, now would be a very good time to
find them and protect them."

I can confirm that I have seen what looks like a steep increase in these
scans as well.  

Nathan W. Labadie writes:
> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps 
> of various subnets 5-10 times a day. This started around two weeks ago... 
> they appear to be looking for open \\<netbios-name>\C shares. My guess is 
> that there looking for machines previously infected with Nimda, but I 
> could be wrong. It shows up as "NETBIOS SMB C access" under snort, and 
> "Tree Connect AndX Request" when the tpcdump is viewed with ethereal. 
>
> -- 
> Nathan W. Labadie       | ab0781 () wayne edu        
> Sr. Security Specialist | 313/577.2126
> Wayne State University  | 313/577.1338 fax
> C&IT Information Security Office: http://security.wayne.edu
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

-- 
Lee Ayres <ayres () i-dep com>
Systems Security Administrator
I-DEP, LLC

phone number (312 738 0740)
fax number   (312 738 0748)
www.i-dep.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com