Security Incidents mailing list archives

Re: Port 445 increase?

From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Tue, 4 Jun 2002 01:50:31 -0700 (PDT)

NetBIOS over TCP traditionally uses the following ports:

nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP

Direct hosted "NetBIOS-less" SMB traffic uses the following port:

MICROSOFT-DS 445/TCP
MICROSOFT-DS 445/UDP

Looks like you're being scanned for open shares (the usual), but the scanner/worm/potential intruder now knows about 
"NeBIOS-less" SMB traffic port too.

This could be a DoS Attack on port 445 too, see http://www.vnunet.com/News/1131065
but i doubt that since you said It was followed by nbname lookup, so It's probably looking for openshares.

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Mike Hrubes" <MHrubes () wizmo com> wrote:

Since around noon today (CST), we've really been getting hammered with tcp =
445.  Interestingly, it appears to be a tool or worm doing the scanning.  A=
ll requests seem to follow the same basic format of ICMP, then 445, followe=
d by nbname.  The requests are coming from many many different IPs, but are=
all directed at a single box on our network.

Just curious if anyone else out there is seeing anything like this?

Thanks!

MH


_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Port 445 increase? Mike Hrubes (Jun 03)
- Re: Port 445 increase? Baribault, Gary (Jun 04)
- <Possible follow-ups>
- RE: Port 445 increase? Jim Harrison (SPG) (Jun 04)
- Re: Port 445 increase? Muhammad Faisal Rauf Danka (Jun 04)
  - Re: Port 445 increase? Brian Collins (Jun 04)
- Re: Port 445 increase? Eric Monti (Jun 06)
  - Re: Port 445 increase? Daniel Polombo (Jun 06)