Security Incidents: RE: TCP 445 Scan?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: TCP 445 Scan?

From: <kyle () kylelai com>
Date: Tue, 4 Mar 2003 11:18:08 -0500

Base on my experience, it seems like a DDoS worm/Trojan is spreading via
port 445, which is the Microsoft Windows 2000 & XP "SMB over TCP" port.
Most of these type of worm/Trojan will look for open port 445, and use the
guessable "users list" with "password dictionary" within the worm/Trojan
files and try to compromise the systems.  Guessable users are usually like
"administrator", "admin", "test", "guest", "root", and etc...

This type of worm/Trojan spread by scanning random IPs and started guessing
the user and password combinations; therefore, if you are a target, you will
see several attempts from the attackers in a short period of time.  If you
are compromised, this worm/Trojan can spread very quickly.

I analyzed the original mIRC (port 445) worm/Trojan back in Sept. 2002, and
it can be found at http://www.klcconsulting.net/mirc_virus_analysis.htm.
There has been several variants, and simplified version of worm like
Iraq_Oil.

The only good defense is to block port 445 and port 139 ports on your
firewall, and set strong passwords for every user on your network, including
administrator accounts.

Hope this helps,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

-----Original Message-----
From: Charles Hamby [mailto:fixer () gci net]
Sent: Thursday, February 27, 2003 1:25 PM
To: incidents () securityfocus com
Subject: TCP 445 Scan?




Morning/Afternoon All,

Has anyone else recently been pegged with a large number of distributed
TCP 445 scans over a short amount of time (within a few minutes)?  A
couple of days ago I was hit by roughly 60+ scans in a short amount of
time; when I waded through it it wound up being about 45 unique IP address
all looking for TCP 445.  Below is an excerpt from my fireall log
(Netscreen).  Has anyone else been seeing these sorts of scans lately?
I've only seen the one scan, so I haven't had a chance to capture any more
traffic.

-CDH


2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z    0 sec TCP PORT 445
2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445
2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

By Date By Thread

Current thread:

TCP 445 Scan? Charles Hamby (Mar 04)
- Re: TCP 445 Scan? Adam Bultman (Mar 04)
- Re: TCP 445 Scan? H C (Mar 04)
  - RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
  - RE: TCP 445 Scan? Frank Knobbe (Mar 05)
    - RE: TCP 445 Scan? kyle (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
  - Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
    - RE: TCP 445 Scan? kyle (Mar 06)