Re: increase in smb scans

["Nathan W. Labadie" <ab0781 () wayne edu>]

Something else that I've also noticed:

The attacks seem to be somewhat coordinated. Within a 15 minute period, 
four different hosts all scanned a /24. Out of two /16's, we have three 
or four subnets that get scanned on a semi-regular basis (as opposed to 
the other couple hundred). I've attached the logs from one of the 
subnets.

Any idea what tool they're using?

On Friday 08 March 2002 09:06 am, Nathan W. Labadie wrote:
> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing
> sweeps of various subnets 5-10 times a day. This started around two
> weeks ago... they appear to be looking for open \\<netbios-name>\C
> shares. My guess is that there looking for machines previously
> infected with Nimda, but I could be wrong. It shows up as "NETBIOS
> SMB C access" under snort, and "Tree Connect AndX Request" when the
> tpcdump is viewed with ethereal.

-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

Attachment: smb-scan.log.gz
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com