RE: TCP 445 Scan?

From: Charles Hamby (fixer@gci.net)
Date: 03/04/03

  • Next message: Brian McWilliams: "Re: TCP 445 Scan?" 
    Date: Tue, 04 Mar 2003 10:22:50 -0900
From: Charles Hamby <fixer@gci.net>
To: incidents@securityfocus.com

    Simple curiosity more than anything. This amount of activity over such
    a short amount of time is highly unusual and I was curious if others
    were encountering the same thing or if there was a particular script
    kiddie tool that could be associated with this pattern of activity.
    -----Original Message-----
    From: H C [mailto:keydet89@yahoo.com]
    Sent: Tuesday, March 04, 2003 7:00 AM
    To: incidents@securityfocus.com
    Subject: Re: TCP 445 Scan?

    Just out of curiosity, if the SYN packets are
    denied...why bother?

    I'm not asking to be a jerk or anything, I'm simply
    asking b/c our mindset is that if it's blocked, we
    have other, more important things that require our
    attention, so we ignore it.

    --- Charles Hamby <fixer@gci.net> wrote:
    >
    >
    > Morning/Afternoon All,
    >
    > Has anyone else recently been pegged with a large
    > number of distributed
    > TCP 445 scans over a short amount of time (within a
    > few minutes)? A
    > couple of days ago I was hit by roughly 60+ scans in
    > a short amount of
    > time; when I waded through it it wound up being
    > about 45 unique IP address
    > all looking for TCP 445. Below is an excerpt from
    > my fireall log
    > (Netscreen). Has anyone else been seeing these
    > sorts of scans lately?
    > I've only seen the one scan, so I haven't had a
    > chance to capture any more
    > traffic.
    >
    > -CDH
    >
    >
    > 2003-2-23 23:05:52 Deny 213.51.247.114->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:49 Deny 213.51.247.114->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:36 Deny 213.51.21.143->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:33 Deny 213.51.21.143->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:30 Deny 12.242.204.86->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:27 Deny 12.242.204.86->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:23 Deny 62.253.118.133->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:21 Deny 65.163.177.202->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:20 Deny 62.253.118.133->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:19 Deny 217.1.167.84->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 65.163.177.202->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 12.231.241.129->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:18 Deny 24.66.39.214->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:17 Deny 12.229.115.40->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 62.190.172.203->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.1.167.84->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.162.202.177->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:16 Deny 217.162.183.155->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:15 Deny 12.231.241.129->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:15 Deny 24.66.39.214->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 141.153.232.196->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 12.229.115.40->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:14 Deny 12.231.161.15->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 217.162.7.16->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 62.190.172.203->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 12.242.250.247->W.X.Y.Z 0
    > sec TCP PORT 445
    > 2003-2-23 23:05:13 Deny 217.162.202.177->W.X.Y.Z 0
    > sec TCP PORT 445
    >
    >
    ------------------------------------------------------------------------ 

    ----
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure">
> http://www.securityfocus.com/stillsecure </A>
> 
> 
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
  • Next message: Brian McWilliams: "Re: TCP 445 Scan?"

    Relevant Pages

    • Re: ipfw pipe show ... help with output is needed, please.
      ... protocol, and showing a tcp port number... ... Everyone is raving about the all-new Yahoo! ...
      (freebsd-net)
    • Re: Not able to send Yahoo mail with Outlook Express & dial-up
      ... > detail in my previous msg. ... firewall to block TCP port 25, but the error would be different. ... mail server because they are blocking port 25 out. ... to try and convince Yahoo!, as a paying customer, to implement RFC 2476 ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • tcp dest port 5773 attack?
      ... DoS attack to a 24.x.x.x address (probably some cable ... broadband user) and all the traffic was from multiple ... src IPs to dest tcp port 5773. ... Do you Yahoo!? ...
      (Security-Basics)
    • Re: TCP 445 Scan?
      ... asking b/c our mindset is that if it's blocked, ... > sec TCP PORT 445 ... > Take back your personal time. ... Do you Yahoo!? ...
      (Incidents)
    • Quantcast