Re: TCP 445 Scan?

From: H C (keydet89@yahoo.com)
Date: 03/04/03

  • Next message: Bill McCarty: "Re: TCP 445 Scan?" 
    Date: Tue, 4 Mar 2003 08:00:04 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: incidents@securityfocus.com

    Just out of curiosity, if the SYN packets are
    denied...why bother?

    I'm not asking to be a jerk or anything, I'm simply
    asking b/c our mindset is that if it's blocked, we
    have other, more important things that require our
    attention, so we ignore it.

    --- Charles Hamby <fixer@gci.net> wrote:
    >
    >
    > Morning/Afternoon All,
    >
    > Has anyone else recently been pegged with a large
    > number of distributed
    > TCP 445 scans over a short amount of time (within a
    > few minutes)? A
    > couple of days ago I was hit by roughly 60+ scans in
    > a short amount of
    > time; when I waded through it it wound up being
    > about 45 unique IP address
    > all looking for TCP 445. Below is an excerpt from
    > my fireall log
    > (Netscreen). Has anyone else been seeing these
    > sorts of scans lately?
    > I've only seen the one scan, so I haven't had a
    > chance to capture any more
    > traffic.
    >
    > -CDH
    >
    >
    > 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0
    > sec TCP PORT 445
    >
    >
    ----------------------------------------------------------------------------
    >
    > <Pre>Lose another weekend managing your IDS?
    > Take back your personal time.
    > 15-day free trial of StillSecure Border Guard.</Pre>
    > <A href="http://www.securityfocus.com/stillsecure">
    > http://www.securityfocus.com/stillsecure </A>
    >
    >

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Tax Center - forms, calculators, tips, more
    http://taxes.yahoo.com/

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Bill McCarty: "Re: TCP 445 Scan?"

    Relevant Pages

    • Re: ipfw pipe show ... help with output is needed, please.
      ... protocol, and showing a tcp port number... ... Everyone is raving about the all-new Yahoo! ...
      (freebsd-net)
    • Re: Not able to send Yahoo mail with Outlook Express & dial-up
      ... > detail in my previous msg. ... firewall to block TCP port 25, but the error would be different. ... mail server because they are blocking port 25 out. ... to try and convince Yahoo!, as a paying customer, to implement RFC 2476 ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • tcp dest port 5773 attack?
      ... DoS attack to a 24.x.x.x address (probably some cable ... broadband user) and all the traffic was from multiple ... src IPs to dest tcp port 5773. ... Do you Yahoo!? ...
      (Security-Basics)
    • RE: TCP 445 Scan?
      ... Simple curiosity more than anything. ... This amount of activity over such ... > sec TCP PORT 445 ... Do you Yahoo!? ...
      (Incidents)