Security Incidents mailing list archives
RE: TCP 445 Scan?
From: "Thompson, Jason" <Jason.Thompson () xwave com>
Date: Thu, 6 Mar 2003 10:17:41 -0400
Actually while setting up a honeypot, I got it infected with a trojan, which
I am going to analyze shortly. After 4.5 hours of being on the net, I was
hit on port 445, and after the infection took place, the machine began
spamming out packets on port 445 to IP addresses incrementing the 4th octet
(24.222.5.6, 24.222.5.7, 24.222.5.8, etc). The scans were pretty quick. A
short time later I was getting traffic from my machine destined to a remote
machine on port 6667, so it is likely that it is some kind of IRC trojan
like Backdoor.IRC.Zcrew or something. I'm not cleaning it until I'm finished
the analysis.
The interesting thing is I had a similar thing happen to a client's PC at
the office last week, and I had to clean that as well. It was infected with
Backdoor.IRC.Zcrew. I believe incidents.org mentioned that this trojan (or
trojans like it) are back on the rise.
-Jason
-----Original Message-----
From: Brian McWilliams [mailto:brian () pc-radio com]
Sent: March 4, 2003 16:00
To: Charles Hamby; incidents () securityfocus com
Subject: Re: TCP 445 Scan?
Maybe it's this new worm?
http://www.viruslist.com/eng/viruslist.html?id=59741
Worm.Win32.Randon
Randon is a Virus-Worm distributed via IRC-channels and LANs with shared
resources.
When executed this worm installs its components into the subdirectory zxz
and/or zx in the Windows system directory and registers its main file and
the mIRC client in the Windows registry auto-run key (below):
HKLM\\Software\Microsoft\Windows\CurrentVersion\Run\updateWins
Randon then executes the above key and hides the process via the
HideWIndows utility. Randon connects to the IRC-server and executes its
scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans
port 445 of other IRC clients.
[snip]
At 01:25 PM 2/27/2003, Charles Hamby wrote:
Morning/Afternoon All, Has anyone else recently been pegged with a large number of distributed TCP 445 scans over a short amount of time (within a few minutes)? A couple of days ago I was hit by roughly 60+ scans in a short amount of time; when I waded through it it wound up being about 45 unique IP address all looking for TCP 445. Below is an excerpt from my fireall log (Netscreen). Has anyone else been seeing these sorts of scans lately? I've only seen the one scan, so I haven't had a chance to capture any more traffic. -CDH 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0 sec TCP PORT 445 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 ----------------------------------------------------------------------- ----- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A> ------------------------- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le present courriel (y compris toute piece jointe) s'adresse uniquement a son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilegies ou confidentiels. Si vous n'etes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon. Si vous avez recu le present courriel par erreur, priere de communiquer avec l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie electronique ou imprimee de celui-ci, immediatement. Nous sommes reconnaissants de votre collaboration. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: TCP 445 Scan?, (continued)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- RE: TCP 445 Scan? kyle (Mar 05)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- RE: TCP 445 Scan? kyle (Mar 06)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
- SV: TCP 445 Scan? Peter Kruse (Mar 05)
- RE: TCP 445 Scan? Lee_Fisher (Mar 04)
- RE: TCP 445 Scan? Thompson, Jason (Mar 06)