Security Incidents mailing list archives

increase in smb scans

From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Fri, 8 Mar 2002 09:06:37 -0500

Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps 
of various subnets 5-10 times a day. This started around two weeks ago... 
they appear to be looking for open \\<netbios-name>\C shares. My guess is 
that there looking for machines previously infected with Nimda, but I 
could be wrong. It shows up as "NETBIOS SMB C access" under snort, and 
"Tree Connect AndX Request" when the tpcdump is viewed with ethereal. 

-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

increase in smb scans Nathan W. Labadie (Mar 08)
- increase in smb scans Lee Ayres (Mar 10)
- Re: increase in smb scans Hugo van der Kooij (Mar 10)
- Re: increase in smb scans Nathan W. Labadie (Mar 15)