Security Incidents: Re: TCP 445 Scan?

[Brian McWilliams <brian () pc-radio com>]

Maybe it's this new worm?

http://www.viruslist.com/eng/viruslist.html?id=59741


Worm.Win32.Randon

Randon is a Virus-Worm distributed via IRC-channels and LANs with shared 
resources.
When executed this worm installs its components into the subdirectory zxz 
and/or zx in the Windows system directory and registers its main file and 
the mIRC client in the Windows registry auto-run key (below):
HKLM\\Software\Microsoft\Windows\CurrentVersion\Run\updateWins

Randon then executes the above key and hides the process via the 
HideWIndows utility. Randon connects to the IRC-server and executes its 
scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans 
port 445 of other IRC clients.
[snip]

At 01:25 PM 2/27/2003, Charles Hamby wrote:


> Morning/Afternoon All,
>
> Has anyone else recently been pegged with a large number of distributed
> TCP 445 scans over a short amount of time (within a few minutes)?  A
> couple of days ago I was hit by roughly 60+ scans in a short amount of
> time; when I waded through it it wound up being about 45 unique IP address
> all looking for TCP 445.  Below is an excerpt from my fireall log
> (Netscreen).  Has anyone else been seeing these sorts of scans lately?
> I've only seen the one scan, so I haven't had a chance to capture any more
> traffic.
>
> -CDH
>
>
> 2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
> 2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z    0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445
> 2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
>
> ----------------------------------------------------------------------------
>
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure";> 
> http://www.securityfocus.com/stillsecure </A>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>