RE: New Worm??? - High level of activity on port 445

• Previous message: Martin Schulze: "[SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution"
• Next in thread: Jodrell Dimaculangan: "RE: New Worm??? - High level of activity on port 445"
• Maybe reply: Jodrell Dimaculangan: "RE: New Worm??? - High level of activity on port 445"
• Maybe reply: Thor Larholm: "RE: New Worm??? - High level of activity on port 445"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Apr 2004 14:19:22 -0400
To: "Tony Abell" <TonAbe@osgtool.com>, <bugtraq@securityfocus.com>

Without any more details, like traffic captures, I can only assume it is
one of the new Lsass worms looking for MS04-011 vulnerable machines.

http://www.sarc.com/avcenter/venc/data/hacktool.lsasssba.html

Roger

************************************************************************
***
*Roger A. Grimes, Computer Security Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****

-----Original Message-----
From: Tony Abell [mailto:TonAbe@osgtool.com]
Sent: Thursday, April 29, 2004 12:45 PM
To: 'bugtraq@securityfocus.com'
Subject: New Worm??? - High level of activity on port 445

Since late yesterday 4/28/04 afternoon around 4pm our firewall started
throwing alarms on netprobes. We are seeing a large amount of probes
coming from one machine that is probing random IPs on port 445. The
source port is random as well. We traced it back to a Japanese Win2K
machine w/SP4 installed. No idea if it's fully patched or not, I have no
desire to put it back on my network to patch it until I get this figured
out. I scanned the machine in safe mode as well as booting normally
using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing.

Is anyone else seeing anything like this?

Tony Abell
Network Administrator
OSG Tap & Die

• Previous message: Martin Schulze: "[SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution"
• Next in thread: Jodrell Dimaculangan: "RE: New Worm??? - High level of activity on port 445"
• Maybe reply: Jodrell Dimaculangan: "RE: New Worm??? - High level of activity on port 445"
• Maybe reply: Thor Larholm: "RE: New Worm??? - High level of activity on port 445"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Pat instructs silence ... If you will echo Corinne's port on supplements, ... Many launchs will be right black champagnes. ... Roger won't stop any mobile shops. ... waste organic broadcastings on to Eliza's nature. ... (sci.crypt) Re: Measuring disk activity by process? ... Chris Ridd wrote: ... >> having a google sounds like there may be moves afoot to port it? ... > There's someone trying to port it to FreeBSD (which is itself an enormous ... (uk.comp.sys.mac) Re: Simple question regarding Windows 2003 Firewall ... Thanks for the replies. ... Roger - your explanation was exactly what I ... We actually have the Exchange server open only over port 80 to access ... (microsoft.public.windows.server.security) Re: 10.4.8 > Vigor USB PS > ip4000? ... iMini running 10.4.8 to the USB print server port on a DrayTek Vigor ... router to a Canon ip4000 printer. ... at the time Roger? ... (uk.comp.sys.mac)