Re: increase in smb scans
From: Nathan W. Labadie (ab0781@wayne.edu)Date: 03/15/02
- Previous message: Lee Evans: "Re: ssh exploit"
- In reply to: Nathan W. Labadie: "increase in smb scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Nathan W. Labadie" <ab0781@wayne.edu> To: incidents@securityfocus.com Date: Fri, 15 Mar 2002 09:39:27 -0500
Something else that I've also noticed:
The attacks seem to be somewhat coordinated. Within a 15 minute period,
four different hosts all scanned a /24. Out of two /16's, we have three
or four subnets that get scanned on a semi-regular basis (as opposed to
the other couple hundred). I've attached the logs from one of the
subnets.
Any idea what tool they're using?
On Friday 08 March 2002 09:06 am, Nathan W. Labadie wrote:
> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing
> sweeps of various subnets 5-10 times a day. This started around two
> weeks ago... they appear to be looking for open \\<netbios-name>\C
> shares. My guess is that there looking for machines previously
> infected with Nimda, but I could be wrong. It shows up as "NETBIOS
> SMB C access" under snort, and "Tree Connect AndX Request" when the
> tpcdump is viewed with ethereal.
-- Nathan W. Labadie | ab0781@wayne.edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.1338 fax C&IT Information Security Office: http://security.wayne.edu
- application/x-gzip attachment: smb-scan.log.gz
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Lee Evans: "Re: ssh exploit"
- In reply to: Nathan W. Labadie: "increase in smb scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
