|
Security Incidents
mailing list archives
Re: TCP 445 Scan?
From: Tom_Staskiewicz () fcnb com
Date: Tue, 4 Mar 2003 09:03:44 -0800
Charles,
Go out to Google and search on "port 445" and also "RFC 1568". RFC 1568
explains port 445 and when you search on port 445, the Internet Storm
Center and Dshield have logged the DoS info using this port. It looks like
you are not alone. Also copy this link and check out the article
http://www.vnunet.com/News/1131065 and its links to Microsoft for more
information.
Regards,
Tom Staskiewicz
Information Security Officer
First Consumers National Bank
' 503.520.7947
"Security is Everyone's Responsibility"
[------------ Know Your Responsibility ------------]
The information contained in this E-mail message and its attachments, if
any, may be privileged, confidential and protected from disclosure. This
information is the property of First Consumers National Bank. If you are
not the intended recipient, any disclosure, copying, distribution, reading,
or the taking of any action in reliance on or in response to this
information (except as specifically permitted in this notice) is strictly
prohibited. If you have received this transmission and you are not a named
recipient or a person authorized to receive email and email attachments on
behalf of a named recipient, or if you think you have received this E-mail
message in error, please E-mail the sender at Tom_Staskiewicz () fcnb com
Charles Hamby
<fixer () gci ne To: incidents () securityfocus com
t> cc:
Subject: TCP 445 Scan?
02/27/03
10:25 AM
Morning/Afternoon All,
Has anyone else recently been pegged with a large number of distributed
TCP 445 scans over a short amount of time (within a few minutes)? A
couple of days ago I was hit by roughly 60+ scans in a short amount of
time; when I waded through it it wound up being about 45 unique IP address
all looking for TCP 445. Below is an excerpt from my fireall log
(Netscreen). Has anyone else been seeing these sorts of scans lately?
I've only seen the one scan, so I haven't had a chance to capture any more
traffic.
-CDH
2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT
445
2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT
445
2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0 sec TCP PORT
445
2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0 sec TCP PORT
445
2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0 sec TCP PORT
445
2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>
This email has been systematically scanned for conditions that may present
business risks. If this is unsolicited third party email, please forward
it to stopspam () spgl com
**************************************************************************
** This email and any files transmitted with it are confidential and
** intended solely for the use of the individual or entity to whom they
** are addressed.
**
** This footnote also confirms that this email message has been swept
** by MIMEsweeper for the presence of computer viruses.
**
** System Administrator
** postmaster () spgl com
**
**************************************************************************
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
 By Date 
By Thread
Current thread:
- RE: TCP 445 Scan?, (continued)
|
Intro
