Random 2packet-probes on port 445

[Thomas Springer <tuevsec () gmx net>]

We get random SMB-Probes on Port 445 - every host sends out 2 
Packets. We get these about once a second to random adresses in 
our /19-subnet. Sources are random IPs, every IP sends 2 
Packets, differing in only the window-size of the packet.

Has anybody a hint about the source of these probes?

--dump--
1830.246754 219.133.7.195 -> 193.30.222.102 TCP 4265 > 445 [SYN] 
Seq=1437331649 Ack=0 Win=65535 Len=0

0000  00 00 0c 07 ac 00 00 03 32 72 b0 00 08 00 45 00 
........2r....E.
0010  00 30 34 d3 40 00 73 06 50 27 db 85 07 c3 c1 1e 
.04.@.s.P'......
0020  de 66 10 a9 01 bd 55 ab f0 c1 00 00 00 00 70 02 
.f....U.......p.
0030  ff ff a7 7e 00 00 02 04 05 b4 01 01 04 02 
...~..........

1833.443564 219.133.7.195 -> 193.30.222.102 TCP 4265 > 445 [SYN] 
Seq=1437331649 Ack=0 Win=65535 Len=0

0000  00 00 0c 07 ac 00 00 03 32 72 b0 00 08 00 45 00 
........2r....E.
0010  00 30 35 01 40 00 73 06 4f f9 db 85 07 c3 c1 1e 
.05.@.s.O.......
0020  de 66 10 a9 01 bd 55 ab f0 c1 00 00 00 00 70 02 
.f....U.......p.
0030  ff ff a7 7e 00 00 02 04 05 b4 01 01 04 02 
...~..........



--

Thomas Springer
TUEV ICS - IT-Security



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------