Port 445 scans in abundance

Does anyone know if there is a new MS virus out there at the moment? Since
2 days ago, I have been noticing a steady increase in port 445 scans and
it now looks like I'm getting 1 or more per minute. I've had to create a
new imap folder in my email just to contain my portsentry reports it's
getting that annoying ;)
I have captured some of the traffic with ethereal, but I don't know what
to do with it nor understand the output. If any of you have windows
machines on your network, you may have cause for concern if this is an
outbreak of a new worm.

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

jafar wrote:
> Does anyone know if there is a new MS virus out there at the moment?
Since
> 2 days ago, I have been noticing a steady increase in port 445 scans
and
> it now looks like I'm getting 1 or more per minute. I've had to
create a
> new imap folder in my email just to contain my portsentry reports
it's
> getting that annoying ;)
> I have captured some of the traffic with ethereal, but I don't know
what
> to do with it nor understand the output. If any of you have windows
> machines on your network, you may have cause for concern if this is
an
> outbreak of a new worm.

Nothing new here ... just smb over TCP.

While I'm not an entralled (or even half-hearted) fan of Gibson, this
should give you enough info to understand (with adequately
over-heightened awareness) why you might be seeing scanning activity on
this port and why it's nothing new.

http://grc.com/port_445.htm

That said, if anyone around here allows port 445 open through the
firewall they need a lesson ;0

You can always google to see if something "new" is out-n-about. Port
445 will always be subject to hammering.

Chances are some new script kiddie is running amok with a _very_
indiscriminant script/approach. Not even clear that scans like this
indicate the person on the other end would know what to do if they hit
"pay dirt".

Unless you have port 445 open on your lan why think twice about it? In
fact, even if you have it open on your lan, why would you have an
openning for it on your firewall?

If you've captured some packets, what can you tell from the source
address? Is it spoofed? How can you tell? What are they looking for?

regards,
prg

On Sun, 03 Apr 2005 22:57:44 +0200, jafar wrote:
> Does anyone know if there is a new MS virus out there at the moment?

Maybe someone rechecking for
Lioten, Randon, WORM_DELODER.A, W32/Deloder.A, W32.HLLW.Deloder, Sasser

The trend appears to be down.

http://isc.sans.org/port_details.php...cent=N&days=40

http://www.dshield.org//port_report....ays=40&Redraw=

On Sun, 03 Apr 2005 14:42:02 -0700, prg wrote:

> While I'm not an entralled (or even half-hearted) fan of Gibson, this
> should give you enough info to understand (with adequately
> over-heightened awareness) why you might be seeing scanning activity on
> this port and why it's nothing new.
>
> http://grc.com/port_445.htm
>
> That said, if anyone around here allows port 445 open through the
> firewall they need a lesson ;0

My port 445 is closed but the scans are detected and the IP's blocked :)

>
> You can always google to see if something "new" is out-n-about. Port
> 445 will always be subject to hammering.

I did google, but nobody seemed to report anything unusual. I often caught
port 445 scans before, just not on this scale.

> If you've captured some packets, what can you tell from the source
> address? Is it spoofed? How can you tell? What are they looking for?

The addresses are mostly from my ISP's IP range, but a few are coming from
elsewhere. I don't know what they are looking for, but the gobbledygook
from ethereal seems consistently the same.
Are there any sites I can go to that help in deciphering ethereal logs?
Many thanks.

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

On 2005-04-04, jafar <nooo@nospam.com> wrote:

> I did google, but nobody seemed to report anything unusual. I often caught
> port 445 scans before, just not on this scale.

It's quite likely that an IRC bot has gotten to the Windows machine on your
ISP's network. They do this on my ISP's. For example, my ISP blocks all
135-139,445 traffic from *outside* their networks to and from the Net. But-
once you are inside, on the same subnet as the other machines, the block
doesn't apply. So it's possible, for example, for me to connect to open ports
of the various Windows machines on my ISP's subnet with Samba and learn some
info about the systems there. Some of them even have shares open. An IRC bot
such as rBot comes along, from somewhere outside, like another ISP's network,
and it tries to enter thru port 445. It's blocked. But it does have success
with another open port on that same system, and now the system is infect (for
example, say thru port 6129 with a Dameware exploit). Now, since the
IRC bot is "inside" the subnet of this ISP, it's now free to attack at
will, directly to the other machine's port 445. The worst part is, Microsoft
ships its OS's with all these useless services enabled and with these ports
open by default. Since there is little (if any) logging in your typical
Windows machine, one could, for example, mount a dictionary bruteforce against
the Administrator account, guess at other user's passwords, or simply connect
with a null session and maybe get lucky to find writable shares.

All this activity shows up as a major increase in scanning and traffic for
port 445 (and also the ports 135-139). If you are brave, setup Samba and serve
a few shares over the Internet. Watch the logs, and it won't be long before
you see some activity. What you see might surprise you.


>> If you've captured some packets, what can you tell from the source
>> address? Is it spoofed? How can you tell? What are they looking for?

1. That the machine is likely infected ;)

2. They probably aren't spoofed, if it's from an automated attack.

3. I can't, but for some reason I've not heard much spoofing in this sort of
attack.

4. To infect *your* machine...



--
MS09-99896 - Vulnerability in All MS Windows OS
Using Windows Could Allow Remote Code Execution
"Microsoft finally admitted today that you just
shouldn't use Windows for anything. Period."