Security Incidents: Re: Port 445 increase?

["Eric Monti" <EMON44 () CBOT COM>]

TCP 445 is the Windows 2000 equivalent for what used to be port 139 in Windows NT. It is the new NetBIOS over TCP port 
or "nbsession". The fact that the scan (if thats what it is) also does an nbname lookup further reinforces the 
likelihood that either someone is looking for open shares or other holes via NBT, or that someone is actually accessing 
your Windows 2000 shares (warez repository?). If thats a Win2k system, turn on some auditing and see what is actually 
going on (to an extent... Win2k/NT logging leaves a lot to be desired) or throw up a sniffer that can decode NetBIOS 
over TCP.

-EM

> > > "Mike Hrubes" <MHrubes () wizmo com> 06/03/02 04:02PM >>>
Since around noon today (CST), we've really been getting hammered with tcp 445.  Interestingly, it appears to be a tool 
or worm doing the scanning.  All requests seem to follow the same basic format of ICMP, then 445, followed by nbname.  
The requests are coming from many many different IPs, but are all directed at a single box on our network.

Just curious if anyone else out there is seeing anything like this?

Thanks!

MH

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com