Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Port 445 increase?
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Tue, 4 Jun 2002 01:50:31 -0700 (PDT)
NetBIOS over TCP traditionally uses the following ports:

nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP

Direct hosted "NetBIOS-less" SMB traffic uses the following port:

MICROSOFT-DS 445/TCP
MICROSOFT-DS 445/UDP

Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about 
"NeBIOS-less" SMB traffic port too.

This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065
but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares.

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Mike Hrubes" <MHrubes () wizmo com> wrote:

Since around noon today (CST), we've really been getting hammered with tcp =
445.  Interestingly, it appears to be a tool or worm doing the scanning.  A=
ll requests seem to follow the same basic format of ICMP, then 445, followe=
d by nbname.  The requests are coming from many many different IPs, but are=
all directed at a single box on our network.

Just curious if anyone else out there is seeing anything like this?

Thanks!

MH



_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]