Re: New CIFS (port 445) worm?
From: Zen (zen@kill-9.it)
Date: 12/17/02
- Previous message: OBrien, Brennan: "RE: Worm on 445/tcp?"
- In reply to: David Gillett: "New CIFS (port 445) worm?"
- Next in thread: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Dec 2002 19:03:38 +0100 From: Zen <zen@kill-9.it> To: David Gillett <gillettdavid@fhda.edu>
On Tue, Dec 17, 2002 at 08:30:13AM -0800, David Gillett wrote:
We're seeing a huge increase of tcp/445 scans on our networks
too. For the moment, I just opened the port on my firewall to
permit them through to a machine running tcpdump to capture all
that's possible, to do further investigation.
> My assumption, at this point, is that those two machines
> (and a bunch more out on the Internet) have been infected
> with something. The choice of port 445 suggests Win 2000/XP
> file shares as the infection vector.
I agree. I hope you've not wiped out the machines, as it would
be interesting to see what, and how, is acting so to reproduce
it and check by ourselves.
bye,
-- My home isn't cluttered; it's "passage restrictive." zen@kill-9.it . Geek . And proud of it . http://www.kill-9.it/jargon/html/entry/zen.html ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: james: "Re: fswserv.html ????"
- Previous message: OBrien, Brennan: "RE: Worm on 445/tcp?"
- In reply to: David Gillett: "New CIFS (port 445) worm?"
- Next in thread: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
