Security Incidents mailing list archives

Numerous TCP port 445 scans on 3/2/03

From: Kevin Patz <jambo_cat () yahoo com>
Date: 3 Mar 2003 14:26:20 -0000


While going through my logs I came across a series of 
scans on TCP port 445 that took place on 3/2 between 
14:54 and 15:23 EST (GMT-5), from 42 different IP 
addresses.

Though I routinely see scans on 445 (W2K SMB), I've 
never seen a surge of them like this before.  They 
would come in about 2-3 per minute on average.  
Outside this time frame 445 scans are at a more 
average level, one or two per hour or so.

Here's a summary of the scans I picked up.  None of 
these IPs have scanned me in the past.

3/2/2003 14:54:01 217.16.226.85   2007
3/2/2003 14:54:30 211.91.237.32   4145
3/2/2003 14:54:32 61.98.45.190    3087
3/2/2003 14:55:20 61.171.26.146   4899
3/2/2003 14:55:30 212.175.192.194 1647
3/2/2003 14:56:04 61.56.207.59    2126
3/2/2003 14:56:31 61.111.104.66   3188
3/2/2003 14:57:07 24.192.214.78   3572  
CPE00022ab84e9e-CM000039ebb45f.cpe.net.cable.rogers.com
3/2/2003 14:58:19 61.217.129.99   2184  61-217-129-
99.HINET-IP.hinet.net
3/2/2003 14:59:04 211.58.135.47   2474
3/2/2003 15:00:30 61.84.57.40     4252
3/2/2003 15:00:39 218.239.1.64    3759
3/2/2003 15:00:43 61.254.195.42   3993
3/2/2003 15:03:26 12.239.55.113   3582  12-239-55-
113.client.attbi.com
3/2/2003 15:04:18 61.171.145.192  2103
3/2/2003 15:04:29 24.114.117.113  1526  
CPE0010a4ef6500-CM014480111719.cpe.net.cable.rogers.com
3/2/2003 15:06:03 217.56.35.66    1739  host66-
35.pool21756.interbusiness.it
3/2/2003 15:06:47 64.165.228.139  3226  adsl-64-165-
228-139.dsl.lsan03.pacbell.net
3/2/2003 15:07:47 61.216.62.112   3985  61-216-62-
112.HINET-IP.hinet.net
3/2/2003 15:07:54 220.77.143.247  3756
3/2/2003 15:09:30 68.117.158.152  4727
3/2/2003 15:09:37 61.248.172.159  2902
3/2/2003 15:11:11 61.192.79.4     2562  
zaq3dc04f04.zaq.ne.jp
3/2/2003 15:13:35 218.121.210.88  2866  
YahooBB218121210088.bbtec.net
3/2/2003 15:14:05 61.248.147.4    3443
3/2/2003 15:14:37 217.44.68.203   2025  host217-44-68-
203.range217-44.btcentralplus.com
3/2/2003 15:14:50 217.23.95.75    4894
3/2/2003 15:15:17 68.65.225.115   2321  ca-stmnca-
cuda2-blade8a-115.stmnca.adelphia.net
3/2/2003 15:16:18 61.84.72.141    2185
3/2/2003 15:16:20 206.31.97.102   4958  206-31-97-
102.jc-dialup.midamerica.net
3/2/2003 15:16:28 211.108.47.187  1831
3/2/2003 15:17:01 61.41.43.190    4430
3/2/2003 15:17:30 64.208.190.218  3193
3/2/2003 15:17:44 212.235.17.36   4854
3/2/2003 15:18:20 68.80.178.223   3641  
pcp01389697pcs.walngs01.pa.comcast.net
3/2/2003 15:18:52 61.104.139.12   3837
3/2/2003 15:20:18 12.237.247.152  2689  12-237-247-
152.client.attbi.com
3/2/2003 15:20:33 68.55.47.114    1918  
pcp02563395pcs.owngsm01.md.comcast.net
3/2/2003 15:20:48 218.48.66.142   2181
3/2/2003 15:21:00 219.110.53.70   4663  h219-110-053-
070.catv01.itscom.jp
3/2/2003 15:21:23 211.208.84.85   1464
3/2/2003 15:23:21 61.42.98.26     1096

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:

Numerous TCP port 445 scans on 3/2/03 Kevin Patz (Mar 04)
- <Possible follow-ups>
- RE: Numerous TCP port 445 scans on 3/2/03 Patrick Webster (Mar 05)