Security Incidents mailing list archives

Re: TCP 445 Scan?

From: H C <keydet89 () yahoo com>
Date: Tue, 4 Mar 2003 08:00:04 -0800 (PST)

Just out of curiosity, if the SYN packets are
denied...why bother?  

I'm not asking to be a jerk or anything, I'm simply
asking b/c our mindset is that if it's blocked, we
have other, more important things that require our
attention, so we ignore it.

--- Charles Hamby <fixer () gci net> wrote:



Morning/Afternoon All,

Has anyone else recently been pegged with a large
number of distributed 
TCP 445 scans over a short amount of time (within a
few minutes)?  A 
couple of days ago I was hit by roughly 60+ scans in
a short amount of 
time; when I waded through it it wound up being
about 45 unique IP address 
all looking for TCP 445.  Below is an excerpt from
my fireall log 
(Netscreen).  Has anyone else been seeing these
sorts of scans lately?  
I've only seen the one scan, so I haven't had a
chance to capture any more 
traffic.

-CDH


2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z          0
sec TCP PORT 445
2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z          0
sec TCP PORT 445
2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z          0
sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0
sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0
sec TCP PORT 445
2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z          0
sec TCP PORT 445
2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0
sec TCP PORT 445
2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0
sec TCP PORT 445
2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z          0
sec TCP PORT 445
2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0
sec TCP PORT 445
2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0
sec TCP PORT 445

----------------------------------------------------------------------------


<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

TCP 445 Scan? Charles Hamby (Mar 04)
- Re: TCP 445 Scan? Adam Bultman (Mar 04)
- Re: TCP 445 Scan? H C (Mar 04)
  - RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
  - RE: TCP 445 Scan? Frank Knobbe (Mar 05)
    - RE: TCP 445 Scan? kyle (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
  - Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
    - RE: TCP 445 Scan? kyle (Mar 06)
- <Possible follow-ups>
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
  - SV: TCP 445 Scan? Peter Kruse (Mar 05)

(Thread continues...)