Security Incidents mailing list archives

Re: TCP 445 Scan?

From: Bill McCarty <bmccarty () apu edu>
Date: Tue, 04 Mar 2003 07:41:34 -0800

--On Thursday, February 27, 2003 6:25 PM +0000 Charles Hamby
<fixer () gci net> wrote:

Has anyone else recently been pegged with a large number of distributed 
TCP 445 scans over a short amount of time (within a few minutes)?


No, but I've seen a slow TCP 445 scan that took several hours to transit
half of a class C network. However, the scan originated from a single IP.
The source and destination port of all packets was 13000. Snort flagged the
packets as related to the Shaft DDOS tool. But, I suspect the current tool
merely shares code with Shaft.

---------------------------------------------------
Bill McCarty

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

TCP 445 Scan? Charles Hamby (Mar 04)
- Re: TCP 445 Scan? Adam Bultman (Mar 04)
- Re: TCP 445 Scan? H C (Mar 04)
  - RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
  - RE: TCP 445 Scan? Frank Knobbe (Mar 05)
    - RE: TCP 445 Scan? kyle (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
  - Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
    - RE: TCP 445 Scan? kyle (Mar 06)
- <Possible follow-ups>
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
  - SV: TCP 445 Scan? Peter Kruse (Mar 05)
- RE: TCP 445 Scan? Lee_Fisher (Mar 04)
- RE: TCP 445 Scan? Thompson, Jason (Mar 06)