increase in smb scans
From: Lee Ayres (ayres@i-dep.com)Date: 03/09/02
- Previous message: Mark Spencer: "Response from Activision re: RTCW?"
- In reply to: Nathan W. Labadie: "increase in smb scans"
- Next in thread: Hugo van der Kooij: "Re: increase in smb scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lee Ayres <ayres@i-dep.com> Date: Fri, 8 Mar 2002 17:13:05 -0600 To: "Nathan W. Labadie" <ab0781@wayne.edu>
SANS Newsbites SANS NewsBites Vol. 4 Num. 10 opens with the following
paragraph.
"Hackers are currently scanning the entire Internet looking for Windows
systems with unprotected shares. They have found thousands or perhaps
tens of thousands of vulnerable systems and installed remote-control
bots on those systems. If you have not checked your systems and your
family's systems for open shares, now would be a very good time to
find them and protect them."
I can confirm that I have seen what looks like a steep increase in these
scans as well.
Nathan W. Labadie writes:
> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps
> of various subnets 5-10 times a day. This started around two weeks ago...
> they appear to be looking for open \\<netbios-name>\C shares. My guess is
> that there looking for machines previously infected with Nimda, but I
> could be wrong. It shows up as "NETBIOS SMB C access" under snort, and
> "Tree Connect AndX Request" when the tpcdump is viewed with ethereal.
>
> --
> Nathan W. Labadie | ab0781@wayne.edu
> Sr. Security Specialist | 313/577.2126
> Wayne State University | 313/577.1338 fax
> C&IT Information Security Office: http://security.wayne.edu
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
-- Lee Ayres <ayres@i-dep.com> Systems Security Administrator I-DEP, LLCphone number (312 738 0740) fax number (312 738 0748) www.i-dep.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Mark Spencer: "Response from Activision re: RTCW?"
- In reply to: Nathan W. Labadie: "increase in smb scans"
- Next in thread: Hugo van der Kooij: "Re: increase in smb scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
