[Dshield] Port 445 Scans

White, Stacy SWhite at bainbridge.edu
Mon Sep 23 13:48:28 GMT 2002


Apparently there was a new hole discovered allowing SMB (again) to be
exploited. I have seen an unusually high increase in aggressive 445 & 139
scans.

Here is some info I received on it:

- The vulnerability being exploited may be the "Microsoft Network Share
Provider SMB Request Buffer Overflow Vulnerability", which exists in all
versions of MS Windows NT, 2000 and XP. You can read more about that
vulnerability at <http://online.securityfocus.com/bid/5556/info/>.
  *On that web page*, be sure to check out the "discussion", "exploit", and
"solution" tabs.

- The "SBMdie" exploit may be being utilized against this vulnerability.
You can read more about that exploit at
<http://www.der-keiler.de/Mailing-Lists/securityfocus/security-basics/
2002-08/0885.html> and at
<http://online.securityfocus.com/archive/88/290595/2002-09-08/2002-09-
14/1>.  Microsoft has a security bulletin related to the problem at
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS02-045.asp>.  Apparently do not guarantee protection
from this vulnerability.  NAI (and possibly other antivirus
vendors) released an update on 9/4/02 to protect against the SMBdie exploit
<http://vil.nai.com/vil/content/v_99659.htm>.

- TCP port 445 is scanned to find vulnerable systems.  You can use port
scanning software to check your own systems.  Several port scanning packages
are available for free and if your campus has an intrusion detection system
(IDS) you can watch port 445.  A free web based port scanning service that
will check ports that are commonly used for Windows vulnerabilities
(including port 445) can be found at <https://grc.com/x/ne.dll?bh0bkyd2>.
Other ports, such as TCP port 139, may be being scanned to find vulnerable
systems.  Systems have been compromised on networks that block port 139.
You can read more about exploits related to specific TCP ports at
<http://www.iss.net/security_center/advice/Exploits/Ports/>.

- The services.exe program may be being used (maybe trojanned, maybe
piggybacked) to carry out the exploit/infection.

- One apparently reliable symptom of the infection is the opening of TCP
ports in the 6666 through 6669 range on systems where those ports were not
open before.  You may see traffic flowing in or out of those ports after
infection.

- Other symptoms of infection may include the inability to launch regedit
and/or "Start->Search->For Files or Folders".


Stacy White




More information about the list mailing list